UK Pitches Business 'Cyber Essentials'

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/uk-pitches-business-cyber-essentials-a-6924

"Are you doing the cyber essentials?"

That's the pitch to U.K. businesses via a new program called Cyber
Essentials. Funded by the government's National Cyber Security Program, it
offers businesses the opportunity to have their information security
practices awarded one of two badges: the self-assessed "Cyber Essentials,"
and beginning later this summer, "Cyber Essentials Plus," which is
contingent upon an annual, independent audit.

The certification program aims to ensure that businesses have at least five
basic information security controls in place. It was developed in part with
the venerable British Standards Institution, as well as the Information
Assurance for SMEs Consortium, and the Information Security Forum.

The launch of the program has been heralded by a number of industry
associations and insurers - who have promised incentives for businesses
that comply - as well as U.K. information commissioner Christopher Graham.
"Protecting personal data depends on good cybersecurity, and the threats
and challenges are getting ever more sophisticated," he says. "This scheme
focuses on the core set of actions that businesses should be taking to
protect themselves, their customers, and their brand."

BAE Systems, Barclays and Hewlett-Packard are among the businesses that
have promised to participate in the program. But that's not surprising,
because the U.K. government also announced this week that by Oct. 1, "all
suppliers bidding for certain sensitive and personal information-handling
contracts" must have the Cyber Essentials certification.

Focus on the Basics

Despite the fanfare, the certification itself requires only that businesses
implement a handful of relatively simple controls: boundary firewalls and
Internet gateways, secure configuration, access control, malware protection
and patch management.

"I'm a little underwhelmed by the content to be honest; it's basic and
contains nothing that any reasonable tech-support guy won't have known
anyway," says Andrew Rose, a London-based security and risk analyst at
Forrester Research. "What it does achieve, however, is an escalation of the
discussion around information and cybersecurity. Rather than just being
left to IT, now the CEO may begin to ask questions about compliance as it
becomes important to capturing certain types of new business."

Going forward, however, Rose wants to see the current program become the
lowest rung - think a bronze level - in the program, to be complemented by
silver-level and gold-level "higher standards of excellence."

Similarly, Gavin Millard, technical director for Europe, the Middle East,
and Asia at Tenable Network Security, characterizes the guidance as "more
of a 'use travelers checks, keep your possessions close,' rather than a
detailed view of the controls that should be implemented by businesses to
remain secure from cyberthreats."

Questionable Advice?

Arguably, at least there's now an incentive for businesses to get their
security house in order. But Millard also questioned some of the basic
guidance being purveyed via the Cyber Essentials guidance. "For example,
when ... discussing authentication best practices, they trot out the usual
line of 'use characters and numbers,' rather than making the suggestion of
using a password management solution, which would address many issues
people face today," he says. "We have to wake up to the fact that humans
are not programmed to create complex passwords repeatedly for many systems
and utilize technology to address this."

Millard also characterizes as "flawed" the program's emphasis on rapidly,
if not automatically, installing every patch after it gets released by a
vendor. Instead, he says businesses should pursue a more rigorous
vulnerability assessment program to avoid unnecessary cost and rework. "It
is far more important to patch critical, easily exploitable vulnerabilities
first, rather than every patch vendors release," he says.

The Right Moves

Despite those criticisms, Millard lauds the intent of the program. "The
U.K. government is starting to make the right moves, defining a base level
of protection we should expect from any business," he says.

Forrester's Rose, who's previously helped two law firms achieve the ISO
27001 information security certification, says any business would benefit
from signing up for Cyber Essentials, especially if their practices aren't
yet mature enough to pursue the ISO standard. "Certification against
approved standards can be useful to prove to your clients, insurers or
regulators that your firm takes security seriously," he says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!