June 27, 2019
Cyber Essentials, the UK government scheme developed in 2014 to provide organisations with a baseline level of assurance from cyber attacks has become the fastest growing information security standard in the world. There is no doubt the scheme has been successful, but its future is currently uncertain and this is putting the success of the scheme and the cybersecurity of UK businesses at risk.
As a member of the first cohort of GCHQ cyber accelerator, the London Office for Rapid Cybersecurity Advancement (LORCA), working closely with NCSC and DCMS and presenter at CYBERUK, we have had the unparalleled opportunity to draw insights from key stakeholders. After discussions with stakeholders from businesses, industry and government, one thing is clear – there is substantial confusion in the sector. We are in a position to shed light on the challenges and bring clarity to a sector that is shaken and riddled with uncertainty.
It’s important we consider the feedback of all stakeholders so that we can move forward in a concerted effort to ensure the future security of our nation. All stakeholders share the same vision, but with several conflicting perspectives, there is a lack of agreement to how we get there. As it stands, the scheme and it’s success so far is at risk. This uncertainty has led to under investment from the sector and confusion amongst the very organisations needing to be assured.
If the foundation isn’t put in place for the scheme, much of the progress will be lost or at worse, reversed. If the right decisions are made, for the right reasons, then the scheme can achieve a level of success beyond anyone’s expectations.
In order to make those decisions, clarity of information and a source of truth is required. Here are the key characteristics that will underline the scheme’s future success.
Most information security standards are inherently unscalable – they require physical audits, extensive documentation and manual processes. Cyber Essentials set out to address this with self-attestation at the basic level. This allowed the scheme to scale in its initial phase but it’s still not ready for mass adoption. At the current take-up rate, it will take centuries to secure all the businesses that exist within the UK. A delivery chain is needed for the vast and diverse range of organisations within the country. In particular, current certification bodies and the thousands of managed service providers need to be engaged in order to deliver the assurance scheme to all that need it.
Cyber Essentials at its basic level needs to be at a cost that every organisation can afford. That includes the costs of assessing, implementing, certifying and maintaining the standard on an on-going basis. The vast majority of SMEs do not have the ability to implement and maintain the scheme or have the resources to hire dedicated security professionals to assist. There’s also a huge skills shortage of professionals that are best utilised for ensuring the assurance of critical data and infrastructure.
The confusion, fear, uncertainty, doubt within the industry means security and compliance are often overwhelming for more organisations. The NCSC website, cohesive guidance and clear language have helped organisations understand what is needed to implement a baseline level of security. The issue remains, it doesn’t help them to implement this. Through the lowering of the technical expertise required to implement and maintain Cyber Essentials, it brings it within reach of many organisations previously inaccessible.
For any scheme to succeed, it must be consistent. Any Cyber Essentials certification should be equal to another. There should be a single standard from an authoritative source, and this should be as objective as possible. The challenge is ensuring consistency across the diverse range of approaches to managing information technology that exists. This includes the micro and small business which don’t have an IT team, those that have third-party managed IT, and larger organisations with dedicated IT professionals.
In order to deliver assurance at this level of scale, we need to use digital systems and data. This brings with it the challenges of managing such data and the requirement for Security by Design and assured technology. However, this also provides real-time insights into the adoption, implementation, maintenance and effectiveness of controls. Data brings us closer to the truth and allows us to ensure the scheme is meeting its aims and adapting to the ever-changing landscape.
The effectiveness of the current scheme is driven by the focus on ensuring appropriate levels of assurance from a small yet comprehensive control set. With the majority of attacks originating from basic factors not being properly implemented or maintained. The assurance is only provided if continuous compliance is in place. In order to this, it needs to be easier to maintain than to fall out of compliance.
Fast forward to 2025, after a concerted effort, the UK is now the world leader in cyber security. The country is the safest place to live and do business online. This was achieved by making assurance programs accessible, affordable and scalable. It has been brought to a level that everyone can attain with confidence that there is consistency. Data drives the on-going development of the schemes as they respond to the changing environment. Other countries look towards the UK as a model of how an adaptable scheme can defend and assure a nation.