A government cybersecurity assurance scheme called Cyber Essentials — often previously derided as deeply inconsistent — got a fresh start this month, with a single accreditation body, IASME, taking over the project.
The National Cyber Security Centre (NCSC) appointed The IASME Consortium as partner and sole accreditation body for Cyber Essentials on April 1, dispensing with four other bodies that were initially part of the programme.
Cyber Essential aims to ensure companies have covered the cybersecurity basics; i.e. are not running unpatched operating systems.
As the NCSC describes it: “Cyber attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Our advice is designed to prevent these attacks.”
The appointment came despite what the NCSC admits were some “challenging conversations” with IASME — a 25-strong SME led by Dr Emma Philpott MBE, a former defence research agency and QinetiQ staffer, who has gone on to run the UK Cyber Security Forum; an organisation that helps set up informal clusters of small cyber security companies across the country.
Cyber Essentials: What’s Changed?
IASME is overhauling the Cyber Essentials scheme by providing one clear baseline of cyber hygiene, in the form of a list of questions.
It is also offering guidance as to how to meet the necessary standards to achieve a Cyber Essentials certificate, which is mandatory for central government contracts, and a prerequisite for many companies before they conduct business.
Dr Philpott, the CEO of IASME said the process was designed to be simple, and encourage a feedback-based process to ensure simple errors are corrected.
She told Computer Business Review: “Our assessment is designed to ask key questions, and if people are doing the wrong thing, we will give simple feedback to help them through the process.”
Certification starts with a list of questions available via an online portal, which a customer can access beforehand for free. Some are yes/no questions and some need more detail, so that the assessor can understand more about the systems of the acquiring company.
What Makes IASME’s Implementation so Successful?
“If it’s just ‘yes’ or ‘no’ answers, which some of them were in the past, you cannot understand the way the system [a customer’s system] works and you cannot give valuable feedback” said Philpott.
She added: “A lot of clients will fail the first time because of slight misunderstandings or things they’ve missed. Everyone has two working days to change their system, update their answers and resubmit.
“The biggest reason [some fail first time] is that they haven’t realized they’ve been using unsupported software. So, for example, a whole company might be using iPhone 5, which is now unsupported and vulnerable. So the feedback will be that you can’t use iPhone 5, iPhone 6 S is the oldest one that’s still supported”.
This process will normally take one to two days.
Like the other previous four participants, it relies on a large number of partner assessors. (A blogpost released by the NCSC notes that “IASME already had 175 certification bodies across the UK, with 312 assessors.”)
Many more were added and trained in preparation for IASME’s promotion, and by April 1 the accreditation body had 280 certification bodies and 670 assessors across the UK and Crown Dependencies.
The CEO of IASME clarified that “we’re a very small company and we completely rely on our partners. All the assessments and certifications get done by the certification bodies. So we act as a hub, they do all the work there and we support them”.
Why Did Cyber Essentials Need Overhauling?
The Cyber Essentials Scheme began in 2014, and was initiated to provide a standard of cyber security awareness, with proof of such awareness in the form of a certificate, to be provided on demand.
Specialist insurance broker Duncan Sutcliffe, of Sutcliffe Insurance, has been a part of the Cyber Essentials Scheme from its beginning in 2014, having worked with IASME before the programme was born.
Sutcliffe remarked on how the scheme has had to change. He told us: “I think it was causing confusion amongst consumers, in that you’ve got one certification, but it was being presented in five different ways, which is wrong really.
“Some were perhaps using it [Cyber Essentials] as a as a tool to sell their other products to large organizations, or were perhaps dumbing it down and weren’t being as thorough in their assessments”.
He added: “The idea of rolling it out across a number of bodies had merit, but inevitably they were all going down their different routes and it was perhaps causing a barrier to getting the nation certified”.
Dr Philpott agrees: “The scheme was becoming really complicated. Companies would go to one accreditation body and would be told one thing, whereas another would be saying something else. After five years of running the scheme, the Government initiated a big consultation process and they found that people were confused”.
Five different systems giving five different ways of achieving the same certificate meant that the accreditation itself had started to lose its meaning.
Philpott commented “It’s not just the case of clicking on ‘yeah, it’s the same as last year’ because no one will actually check. Just going through an automated Yes/No checklist means nothing, you don’t get any benefit from that.
“We want it to be a process that helps companies be secure, not just something where you pay £300 and you get a certificate”.
Duncan Sutcliffe’s own company upgraded to the more comprehensive Cyber Essentials-plus in 2019.
He told Computer Business Review: “It took a lot of procrastination before starting the process but only two days of concentration to actually put everything in place that was required. We feel so much happier knowing we have the certification and it has made us far more cyber aware.”