Baselining your security by adopting a standard such as Cyber Essentials, Cyber Essentials Plus or the ISO 27001 standard can provide the business with the starting blocks for an effective cyber security policy. That’s a given. Yet adoption of these standards still remains woefully low.
The UK government’s latest Cybersecurity Longitudinal Survey, now in its second year in a three year study, reveals that only 40% of businesses adhere to one of these standards (with 25% meeting Cyber Essentials, 17% ISO 27001 and 11% Cyber Essentials Plus). This marks only a slight increase from the 32% that confirmed they were certified last year, despite the efforts of the government to increase uptake through its ‘Cyber Aware’ campaign.
Qualitative interviews conducted during the study reveal a wide range of attitudes. The most positive saw it as aligning them with best practice and providing their IT team with a framework to work to. Others regarded it as a necessary requirement that they must meet in order to do business with certain organisations (it is mandatory when bidding for government contracts). But there are still those who regard it as a tick box exercise. So, what needs to be done to improve perception and the adoption of these standards?
The certification process itself can be fairly simple. Cyber Essentials costs just £300-500, takes three days to complete and involves a self-assessment which is then verified, with a free retake within two days should you fail. Requirements under Cyber Essentials were recently updated to include cloud services, multi-factor authentication (MFA) for all administrators of cloud services and more stringent password requirements for other users, BYOD, and more rigid rules around virtual server-based environments, remote workers and firewalls. Further updates being brought in from 24 April 2023 include guidance on Zero Trust Network Architecture (ZTNA) among others.
Cyber Essentials Plus, as the name implies, requires Cyber Essentials certification first, typically can cost anywhere from £1500 to £3000+, and sees an audit carried out by an independent assessor. This assessment takes the form of an audit of some of the organisation’s user endpoints, including an authenticated vulnerability scan, an external port scan of internet facing IP addresses, and an email/internet browser test, with 30 days to remediate any issues discovered.
ISO 27001 was viewed as the most expensive and onerous standard by those questioned in the survey. It tends to take about 18 months to become compliant and costs can vary due to internal as well as annual audits, which can run into thousands depending on the size of the business. However, ISO 27001 is widely seen as the gold standard, it’s internationally recognised and those who undertake it regard it as a real differentiator in the marketplace.
Failing to build on the foundations
All three standards should be used to form the basis of a cybersecurity strategy. It’s estimated that Cyber Essentials protects against 80% of attacks, for instance, which leaves a large attack window. The idea is for businesses to start with the basics and then build on them, by putting in place more business-specific policies and controls. The Cyber Security Incentives and Regulation Review 2022 clearly states that Cyber Essentials only provides “a foundational technical standard of cyber security” and it is now looking at how it can provide additional support to those seeking to move towards a more mature level of
organisational cyber resilience such as the Cyber Assessment Framework.
Today, few of those that adopt the standards are using them to design a working cyber security strategy. Five types of documentation were identified as crucial for an effective cyber security strategy in the survey: a Business Continuity Plan (BCP), documentation identifying critical assets, documentation of the organisation’s IT estate and vulnerabilities, a risk register and documentation of the organisation’s risk appetite. While many had a BCP, only half had a risk register and only 30% documented acceptable risks. Moreover, most did not have a formal incident response plan and those that did, did not test them.
Part of the problem, as identified in the government review, is that organisations find it difficult to quantify impact and therefore to justify dedicating the time, resource and money to invest in cyber security. To help with this, the government intends to make impact information available to help justify investment but to also elevate the importance of the risk register and provide the additional evidence needed for external reporting, as in the case of an insurance claim.
But do we need to move beyond awareness and education and look to incentivisation? One such incentive is cyber insurance. Those achieving Cyber Essentials certification for the whole organisation and whose turnover is less than £20 million benefit from £25,000 worth of third-party cyber insurance, for example, and have access to an emergency incident response helpline.
Granted, this is a limited form of cover that won’t offer protection against, for example, financial cyber crime, but the standard is also now seen as a good basis for taking out more comprehensive insurance policies. Many insurers ask for additional evidence that cyber security measures are in place and those that comply with these standards are deemed to have met the level of assurance needed – they may even benefit from lower premiums.
Yet during the two years the Longitudinal Survey have been running, and a year on from the government review, it’s clear that organisations are not adopting the standards through choice and when they do, they’re not capitalising on the opportunity to extend them. There need to be more compelling reasons for companies to sign up and progress to higher levels, either in the form of tax relief or even mandating them, particularly if we are to build a cyber resilient economy.
Phil Robinson is Principal Security Consultant and Founder of Prism Infosec, the independent cybersecurity consultancy. An Associated Member of the ISSA, the (ISC)2 CISSP, ISACA CISA and a CHECK Team Leader, he is also a CLAS Consultant/Senior CCP Security and Information Risk Advisor and has assisted in the development of numerous penetration testing standards and certifications. Phil has been in information security for over 25 years.