It's time the government revisited its flagship cyber protection scheme, writes Phil Robinson, principal consultant, Prism Infosec
The government’s Cyber Essentials (CE) programme was meant to establish a minimum baseline of cybersecurity across UK businesses.
But at almost a decade old, the scheme has only amassed just under 35,500 registrations out of a total 5.5 million businesses – disheartening news for a government that has committed to protecting the UK’s cyber space by 2025 under the National Cyber Strategy.
In order to find out what went wrong, the Department for Science, Innovation and Technology (DSIT) commissioned an evaluation of the scheme. Interestingly, it’s not just uptake that has been low.
Almost half of those that chose to become compliant dropped the certification after a year, a third after two years and a fifth after three but not because they didn’t think it worthwhile. In fact, the majority (67%) would recommend the scheme to others, rather it was the process itself that put them off.
'It's like a tax'
Other reasons for the lacklustre uptake were that almost half only obtained the certification to meet public sector contract requirements with one even saying it was regarded as “a sort of tax”.
Some said the expertise, resources and costs were a deterrent, particularly as the standard is renewed annually, or that the technical controls were too difficult to achieve or keep up with. And the ‘one size fits all’ approach also failed to cater for the needs of businesses of different sizes and means.
Ticking clock...
So how might things be improved? As two thirds of current and lapsed users needed to ask questions or seek help during the certification process, expect the simplification of the guidance and a more tailored approach to different organisations.
We may also see a move away from the current prescriptive approach to one that is more risk-based to allow for larger enterprises to meet the technical control requirements.
The report also said that the length of certification could be extended to three years, eliminating the need to perform annual audits, or that scaled pricing, with lower bands for start-ups or those renewing, could be brought in. Also mooted was the prospect of abolishing mandatory certification for public sector contracts, provided the business has an equivalent standard in place, which will undoubtedly be welcomed by those who already hold ISO27001, for instance.
Boosting adoption
Yet will these amends be enough to make a difference? Those who have never gone for CE said they would only do so if it was contractually required, demanded by customers, or was asked for by senior leaders. This suggests that adoption can only be boosted if it is in the best interests of the business.
There are multiple ways of doing this. We could make the standard more financially viable so that alongside tiered pricing we provide tax breaks, for example, or work the with cyber insurance sector to lower premiums. Or we could make the standard more meaningful by providing the business with a tailored assessment approach that then translates directly into applicable security controls.
Change of tack needed
It is this last option that has the potential to elevate CE from being an annual point in time audit exercise that may be perceived as painful for the business to a valuable assessment which contributes to improved cyber security throughout the year. Using a risk-based outcome-oriented approach can keep costs down while providing guidance the business needs to improve its security posture.
Taking such an approach will elevate perceptions of the standard and if CE is seen as worth having, more businesses will want it, generating its own demand. And it’s this mass adoption that is the key as creating a baseline across the country will benefit us all and the economy.
But for that to happen we need government to incentivise businesses and make CE indispensable.