Last week the UK Government launched the Cyber Essentials Scheme (CES) allowing businesses to demonstrate best practice in defending against common cyber threats.
The scheme, launched 5th June 2014, is a key objective in the government's £860 million National Cyber Security Programme. The main objective is to ensure the UK is a safer place to conduct business online. Until now, there hasn’t been a single recognizable award in cyber security assurance suitable for all businesses. Developed in close consultation with industry and insurers, many incentives are being offered to businesses who join the scheme.
"Britain is already a world leader in cyber security. Developing this new scheme will give consumers further confidence that business and government have defenses in place to protect against the most common cyber threats." - David Willetts, Science Minister
What are the requirements?
The scheme defines 5 key controls to defend against the most common cyber threats:
- Boundary firewalls - Information, applications and computers should be protected against unauthorized access and disclosure from the internet.
- Secure configuration – Devices should be configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfill their role.
- User access control – Admin privileges should be assigned only to authorized individuals, managed effectively and provide the minimum level of access to applications, computers and networks.
- Malware protection - Computers that are exposed to the internet should be protected against malware infection through the use of malware protection software.
- Patch management - Software should be kept up-to-date and have the latest security patches installed.
Full details of the requirements can be viewed here so that organizations can self-assess before applying for formal certification.
What is the benefit?
The UK Government claims the scheme will boost a business's reputation and competitive advantage by showing that they take cyber security seriously. As of October 2014, bidding for certain high risk government contracts will require a Cyber Essentials Award.
Recent large US data breaches have demonstrated the cost to business of integrating 3rd party IT systems with poor cyber security controls. Many organizations already require contractors and partners to prove a certain level of cyber hygiene in order to continue doing business.
The CES is all about businesses raising the bar when it comes to cyber security and provides a good baseline for cyber security. The scheme itself follows the defense in depth model to ensure that if an attacker breaches one layer of security, there is another layer to contain the threat.
When implementing these controls it is important to prioritize those that can provide the biggest impact. The Council on Cyber Security names privilege management and application allow listing (user access control) combined with patch management as the most effective 'quick wins' against real world attacks.