NCSC CyberEssentials (CE) is, in a nutshell, a UK-government-backed scheme that aims to lift companies out of their security poverty. Those that opt to comply with the scheme, benefit from protection against the most common cyber attacks. That’s what you can read on the tin’s label, however, inside the can, there’s much more.
The scheme has two flavours: CE and CE+.
CE is a self-assessment, performed by filling in an online questionnaire that is later reviewed by IASME. If the responses are of sufficient quality and clarity, the company is awarded the certificate. If the company happens to initially fail the assessment, it will be granted a few days to correct and re-submit at no added cost.
CE+ differs from CE by also including a hands-on technical verification, or in other words, the information submitted is independently verified via penetration test.
Another plus is that a certified company, being UK domiciled with a turnover under £20m, is also entitled to a Cyber Liability insurance with a value up to £25,000, while companies from abroad may benefit from insurance discounts from brokers that recognise the certification.
If you consider the scheme as a hurdle, that once overcome, also warrants a business a higher level of confidence to do business with and an improved reputation, for that particular year, you would be right.
Either flavour has a negligible acquisition cost, but business leaders should account and allot sufficient time as to allow the completion of the assessment, it is non trivial. They should also prepare their workforce for cultural and operational changes as those will be needed in order to meet certification requirements.
Ready or not, once embarked on its adventure of security indoctrination, the business will obtain a deeper appreciation of the subject and come out with an improved security posture.
A bit of criticism
1- From those that want more
Some security professionals, would like the scheme to evolve as to offer different shades of grey according to the assessment findings, meaning it should offer finer classification than just the stamp of “certified”.
I’ve observed this criticism in social media and grouped its supporters as those already standing on the other side of the barrier and suffering from due diligence fatigue on their supply chain security assessments. Their eagerness to pass the ball to IASME would potentially lower their companies costs and uniform responses obtained. I wonder if IASME will go for it.
Upon further reflection, I also acknowledged the very likeable existence of those that may desire to differentiate themselves from other certified enterprises. Be it because they didn’t cut corners to get certified and believe others did, or because of being aware that particular ways of achieving X actually provide NULL value or even because they may know of companies stating compliance when it is just not the case.
Nonetheless, I for one, do not endorse this proposed mutation of the scheme as I’m of the opinion that it should be maintained until the numbers of certified companies is so high that the certification no longer serves a purpose, rather than changing its poverty starvation mission mid marathon.
My reasoning stems from having experienced security poverty and being able to recognise the level of effort required to lift a business from it. As such, although I comprehend that re-certifying every year will not be as exciting and transformable as the first time its accomplished, I shall frown, if after a few years it remains the only security certification a company holds…
2- From those that need more
On a flip side, and despite the scheme’a success since 2014, it continues to receive laments regarding insufficient information and requests for further clarity on a range of topics. I, myself, had questions.
Nonetheless, I find this feedback unavoidable and expected given the scheme’s targeted broad audience as one can do little but hope to achieve a large level of resonance even when only transmitting a short message to a diverse audience.
Yet, this important and recurrent critique stresses unequivocally that the poor and the misguided are reaching out for help and want to do better! But it also questions if raising the bar is not indeed suboptimal or premature.
3- From those that don’t agree
There are also certain security professionals that challenge some of the specifics of the scheme. Here care and pause must be put in place as all security professional should grasp the content of the challenge with ease. Thus when someone starts YELLING with the intention of maintaining practices that outreach into the realm of the unethical, others will question the real reason behind it, be it that invariably, it will have the same root cause: financial costs, rather than the absence of knowledge regarding risks.
I believe this only occurs due to the weight of the identified cost having not been married to the tradeoffs attained. Nonetheless, I recognise that here, battles have to be fought one by one with the goal of educating as to allow for a shared state of enlightenment which will be a slow process and better served with bespoke threat modelling, risk identification and quantification prior to any treatment (acceptance, transference, mitigation, avoidance).
Although so far I’ve not endorsed challenges posed, being limited by my sphere of influence and visibility, I also recognise an opportunity for the scheme to offer more value and assist those willing to certify in the shape of enumerating which laws maybe violated if Y and Z are not in place. Albeit those may be UK specific, the insight may prove beneficial and lower resistance.
Upcoming changes that may hurt your business
I question two of the changes proposed, as all others feel like improvements at the moment, but I like to remain free to revisit.
1- The scheme will no longer require user device models to be reported
I can imagine IASME receiving complaints from enterprises that have large numbers of assets regarding how slow and painful the process is. I’ve been there, but anyone making this complain raises immediate questions on how the company monitors, controls and replace said assets and is part of doing the right thing to improve the company’s security. As such, I wouldn’t accept this as the reason for the change.
I’m inclined to believe that this change is to favour IASME and possibly CE+ assessing companies, who may be looking to decrease their level of work and thus willing to lower the bar permitting a more flexible submission. This feels closer to reality in the sense that time invested by those, depending of the size of the organisation being assessed, may lead to costs not covered.
For me however, because different models may very well have different support lifecycles and may have different associated operating systems and firmwares, so, this is a negative change.
An example will be to report: “we only use Macs” when particular models are already unable to support different security requirements. This obfuscates the information submitted.
IASME please reconsider!
2- The scheme will only require router and firewall firmware reports
This one puzzles me. Companies have wifi repeaters and those have firmware, they have servers that have firmware and all other devices… all with firmware.
Here I would point a finger to virtualisation and cloud providers that do not share such information. And if I’m close, then I would question IASME if it wouldn’t make more sense to have separate requirements for tangible and intangible assets.
Not knowing what firmware is used in a device, impairs decision making regarding the level of security the asset requires. So it’s another negative change leading to less security.
IASME please reconsider!
Less control is not better, less is worst. In these two cases at least.
Lowering the value of the certification is just not right.
Thanks for reading. What do you think about these changes? Let us know in the comments below!