Cyber Essentials. Is it meeting the government’s objectives?

The government is using the Cyber Essentials scheme to make UK businesses more secure in this increasingly hostile world and to do this it has set itself a strategy. In this article we review the strategy and the future plans for the scheme and reflect on whether it is meeting the government’s objectives.

The government has stated, that through Cyber Essentials it is seeking to:-

1. Improve business cybersecurity awareness and understanding
2. Provide informed choices about the most appropriate solutions to improve cybersecurity
3. Increase foundational awareness of being cybersecure
4. Provide an easier route to becoming more secure through Cyber Essentials, comparatively to alternate schemes and standards
5. Make sure to not routinely mandate Cyber Essentials if other alternatives are already held

For many of those seeking to get Cyber Essentials to allow bidding on lucrative government contracts, the scheme can be just a tick box exercise. This is an unfortunate truth that we, as a certification body, see all too often. It would appear, at first glance that the scheme is failing to achieve the government’s aims.

But…

Accreditation requires a minimum standard of security. This means certain changes may need to occur to pass. These changes are rarely expensive to put in to place.

The certification body can add useful comments to the self assessment questionnaire. Through these comments we can educate the business which in turn can help a business improve their cybersecurity.

The fee for the scheme itself is around a £1 a day. That is in our opinion, a small price to pay to reduce the risk of being the next headline.

Cyber Essentials tends to have the ear of the management. This is because the company management team sign and submit the questionnaire. So companies will only gain from undergoing the certification.

For the future of the scheme itself, the government has stated there will be:-

• More explanation of the differences between the Cyber Essentials schemes which currently available are both the Basic and the Plus scheme. The Basic scheme relies on self certification. The Plus scheme includes an external assessment element performed by a certification body
• More training and information resources to convey key messages from Cyber Essentials
• Continuous improvements made to simplify and clarify the scheme based on business feedback
• Constant advancements to keep pace with technology
• Increased sharing of cybersecurity best practice
• A more common approach in tailoring the scheme to the size of a business

As a certification body we are seeing these improvements and an increase in clarity. The scheme is catering more and more for all types of companies, including those running cutting edge technology to those using minimal technology.

The NCSC owns the scheme and continues to provide sound advice on how best to deal with the cyber threat landscape. As a result there is only a single voice detailing what is best for business. Businesses following the scheme do not waste precious resources investing in snake oil. They can see what it takes to be good enough compared with achieving the ideal. Fear, uncertainty and doubt are now placed in context. This allows businesses to make better decisions on how best to deal with cybersecurity and which strategy to follow.

Additionally the government are running media campaigns detailing the ever changing cyber threat. These are getting the attention of the company executive teams. Cybersecurity is now a regular part of most board room discussions.  The evidence, see Cyber Security Strategy shows the Cyber Essentials scheme is effective in achieving government objectives. Through it, the UK Government will continue to help make UK businesses more secure and be seen to be a safe place to do business online.

We work with IASME who manage the scheme on behalf of the NCSC. As a certification we can:-

• assist with reviewing your filled in self certification questionnaires
• counsel on areas to improve your cybersecurity

We will explain to you each of the requirements and their aims and with an understanding of your business, help you decide on how best to become more cyber secure.

As a certification body we can also perform validation to the Cyber Essentials Plus scheme.

Interested? Find out more, contact us today.