What is the NCSC’s Cyber Essentials scheme and how can it help enterprise CSOs?

While the latest and greatest zero-day exploits against mega-corporations make the best headlines, the majority of security incidents are relatively simple attacks against smaller companies with limited security resources and know-how.

Created by the UK’s National Cyber Security Center (NCSC) in 2014, the Cyber Essentials scheme provides a baseline for organisations to show in a standardised way that they are implementing proper cybersecurity policies, controls, and technologies.

It is designed to help companies of any size operating in any industry. According to the NCSC’s Head of Commercial Assurance Services, over 30,000 organisations have gained accreditation since the scheme’s introduction.

How to achieve Cyber Essentials accreditation

The scheme comes in two forms; Cyber Essentials and Cyber Essentials Plus. Both certificates have the same requirements but the plus scheme has more rigorous checks. The basic Cyber Essentials see organisations self-assess their systems and have this assessment independently reviewed by an accredited body, while the Plus scheme sees a certification body conduct internal and external vulnerability scans as well as an on-site assessment to verify adequate controls are in place.

The questionnaire itself focuses on whether you have technologies such as firewalls in place, and whether certain policies and controls around those technologies have been implemented, such as if vulnerable services like Server Message Block (SMB) and Telnet have been disabled by default unless justified with a business reason.

The CE scheme focuses on five technical controls:

• Firewalls to protect all devices
• secure configuration for devices and software
• user access control for data and services
• malware protection [including sandboxing and white listing]
• patch management

To pass the certification scheme, a company must meet all requirements within those five areas. Certification bodies include CREST, the IASME Consortium, AMPG, IRM, and many others. Certification requires annual renewal.

Areas within the scope of assessment include both personal and corporate-owned devices, wireless devices connected to the internet, and commercial web applications. Wireless devices not connected to the internet, SaaS applications, and custom web applications are not in the scope of assessment.

Benefits of Cyber Essentials accreditation

While it won’t prevent the most advanced APTs or zero-day vulnerabilities, the CE scheme aims to help companies ensure good cyber hygiene and help them protect themselves against phishing, known malware and vulnerabilities, ransomware, credential stuffing, and network attacks. But as well as protecting against costly cybersecurity incidents, potential loss of business, and the threat of fines from regulators, the scheme can open doors to new business.

Certified companies are listed on the NCSC’s CE site and on the accreditation firms’ sites, and so certification can help firms looking for a way to show to current or potential partners that they are taking security seriously. In addition, the British government requires all suppliers bidding for contracts involving the handling of certain sensitive and personal information to be certified against the Cyber Essentials scheme. Some cyber-insurance companies may also lower premiums for companies that have CE or CE Plus certification.

Supply chain benefits of Cyber Essentials

While most large enterprises will likely find their current security function is already mature enough to be doing all of the scheme’s requirement and much more – frameworks such as ISO 27001 are far more comprehensive and suitable for an enterprise – the scheme can be beneficial to enterprises that set it as a default minimum standard for their suppliers.

According to Accenture’s Technology Vision 2019 report, seven in 10 businesses may be vulnerable to malicious attacks through their ecosystem, with just 29 percent of UK business and IT executives knowing how diligently their partners are working regarding security. Smaller suppliers can often be used as stepping stones to breach larger organisations if they have access to certain systems or portals; according to a survey by the Ponemon Institute, 56 percent of organisations have had a breach that was caused by one of their vendors. One of the most notorious examples of this was American retailer Target suffering a breach in 2014 via a third-party HVAC supplier.

While attacks targeted against a supplier may well still succeed if sophisticated enough, enterprises requiring that suppliers have CE certification will at least prevent some of the more basic attacks getting through. Requiring minimum standards around security from suppliers may also help reduce the chances of other companies that use the same suppliers suffering incidents.

The UK government and the Ministry of Defence have already mandated that those bidding for contracts must be accredited as part of efforts to improve the security of its supply chain. This has been a requirement with the UK government since 2014, and in 2016 when the MoD adopted this stance it said CE certification “will become the baseline requirement for companies in the UK defence supply chain”.

In May 2018 UK IT solution provider Evaris launched a petition to make the Cyber Essentials Scheme compulsory for businesses. It aimed to require businesses of 51 to 250 employees to meet at least the criteria for certification for the Cyber Essentials scheme, while companies with over 250 staff would be required to complete Plus certification.