Cyber Essentials is the UK Government’s set of security best practices that organisations can use to improve their posture. It provides guidance on how to harden systems, keep identities secure and maintain applications so they don’t have vulnerabilities. Currently, around 30 percent of companies use Cyber Essentials as a framework to secure their operations according to the UK Government’s research.
The threat to organisations continues to grow - in the same research, 82 percent of businesses and 77 percent of charities experienced some form of cyber incident over the past twelve months. So, improving security operations is a great opportunity for any channel partner. Why are so many companies not using the guidance, and can this be your foot in the door for more opportunities?
Where Cyber Essentials sells … and where it might not
Firstly, complying with Cyber Essentials is not mandatory for all companies. For some very small businesses with only one or two employees, for example - it might be too much to go through. There are also two levels of Cyber Essentials - the lower level Cyber Essentials, where you can self-certify, and Cyber Essentials Plus (CE+), which requires an audit by an external company. For some companies, CE+ is essential.
For example, if your customers sell to the UK public sector - or if your organisation does - then CE+is a must-have. Having this external accreditation is often stipulated on procurement terms for public sector projects. For selling any IT or digital service, demonstrating that you have the credentials will be mandatory. The Cyber Security and Resilience Bill that the UK Government has brought through will also affect more companies, asking them to demonstrate that they follow best practices.
Companies in the private sector are also encouraged to get CE+ accreditation. For example, banks have committed to supporting Cyber Essentials in their customer bases and their supply chains to improve the overall standard of security with their customers. The impact here is tangible - according to research, those organisations with CE+ certifications are 92% less likely to make a claim on their cyber insurance than those without it. So, getting certified makes it much more likely that a customer stays secure over time.
Companies may choose not to get certified - some may see it as unnecessary because they have other specific and more stringent security or regulatory requirements that are already in place. For smaller companies, the pressure to run the company may put CE+ right to the back of the queue, even though they are the ones that have the most to gain. With the average cost of a data breach for UK companies at £195,000, the cost and time are far less than the impact from an attack.
What is coming next
This year’s update to CE+ will make a difference to certification and to security processes. The biggest change is that more of a company’s IT systems will be in scope for audit and assessment - companies won’t be able to limit the number of systems that they present to be checked. This will make the preparation side harder, but deliver better results over time. It also makes it more difficult for customers to fudge the results or skip recommendations.
There are two major changes to the guidance as well. The first is that multi-factor authentication (MFA) must be implemented if it is supported. So, for any cloud accounts or Software as a Service applications, MFA will be mandatory across all accounts. Not putting this in place is an automatic failure, so you can help your customers understand any potential MFA gaps as part of the audit preparation process. This may also lead to more identity management opportunities, as MFA is only part of how a company should manage staff identities over time.
The second major change is that critical issues in IT assets like security and networking equipment like firewalls can lead to persistent and deep access to IT systems. Similarly, supply chain attacks on applications and services can provide simple and fast access to sensitive data. Fixing those issues fast is one of the most efficient and effective ways to prevent attacks. In this update, CE+ auditors will look for evidence that the organisation can deploy vulnerability fixes for any critical issue within 14 days. If the organisation can’t meet that target, it is an automatic fail as well.
This might seem like a high hurdle to get over. In our research, small businesses typically took more than 14 days to patch, while enterprises took more than 21 days. However, it is worth stressing that vulnerability fixes can include multiple methods to stop potential exploitation beyond patching alone. Mitigations like configuration changes, hardening environments and stopping potential access can all count as fixes within the 14 day period, and they can be implemented while any patch testing process is completed. On top of this, automated patch deployment tools can make it much easier to roll out patches today compared to previous manual processes.
For partners, helping your customers update their processes so they can meet that 14 day critical issue fix target is one of the biggest opportunities for security. Not only can it lead to more opportunities down the line around improving patch management, it offers the chance to help your customers understand what risks they face and how to improve their processes. For larger enterprises, this might involve setting up a risk operations centre to complement their existing security operations centre; for smaller companies, providing a managed service around risk operations can help them be more proactive in handling potential threats before they turn into real attacks.
Cyber Essentials - and CE+ in particular - can play a vital role in helping companies get the basics of security right. It is an effective and simple set of processes that can harden systems and prevent problems. However, while those that use this approach might see the value, more companies can benefit from implementing these processes. Building up opportunities around Cyber Essentials can offer a vital first step into better security for the organisation, but also into delivering valuable services for partners. You can help them to prioritise their risk operations, putting a cost against potential threats, so they can concentrate on the biggest problems before they can be exploited.
