Security Journal UK hears exclusively from Ivan Milenkovic, Vice President Risk Technology EMEA, Qualys about the impact of Cyber Essentials v3.3.
According to the UK Government’s longitudinal cyber security research, 82% of businesses and 77% of charities experienced some form of cyber incident over the past year.
Just over a third of organisations – 37% of businesses and 36% of charities reported that they had increased their budgets for security spending too.
Where should that budget go, if companies are going to see the best result?
The UK Government’s approach here is called Cyber Essentials – it has been running since 2014.
Currently, 30% of businesses report themselves as compliant with Cyber Essentials, up from 23% the previous year, while 28% of charities self-report their systems are compliant.
While these numbers are good – and the level of adoption of the past twelve months is certainly encouraging – this is only for the self-evaluation.
Formal certification with Cyber Essentials Plus is currently only 3%, so there is an immense gap between what companies think of as security and verifiable compliance.
Alongside this small base for compliance, Cyber Essentials is getting an update in April, with some significant changes to bear in mind.
What are those changes, and what will you have to do differently to be compliant and more secure?
Cyber Essentials is built upon five foundational technical controls:
These five areas cover the essential pillars of IT security, providing guidance on what is needed to secure any organisation against attackers. Implementing these controls will keep out the vast majority of attack techniques.
However, the world does not stay still.
New attacks and vulnerabilities are discovered all the time and old vulnerabilities can be weaponised in new ways.
The advent of AI has made it easier and cheaper for attackers to carry out more attacks, while phishing kits and “deepfake” video and audio content make attacks more convincing too.
Cyber Essentials is therefore not something that can be implemented once and then forgotten about until the next audit a year later.
It provides a framework for security that can be followed all year round.
The April update (v3.3) significantly tightens the auditing criteria, closing loopholes that previously allowed organisations to compartmentalise their audits and mask underlying risks.
The scope is now uncompromising: if a device accesses organisational data, including BYOD and remote working equipment, it is in scope.
There are two big changes in Cyber Essentials to address new issues as well.
The first is around user identity and multi-factor authentication (MFA).
MFA ensures that someone is who they say they are when they log into applications using an additional security factor.
Previously, administrator accounts were the only ones that had to use MFA.
Under the new guidance, MFA will be mandatory for all applications and cloud services that support it across all accounts.
Not implementing these services when they are available will lead to failing the audit.
The second major change to Cyber Essentials is around handling vulnerabilities.
Over the past few years, threat actors have used faults in the tools that we use across IT for security, networking and systems management as routes into the companies that they target.
Some of these faults have been in the very security products that companies use to secure their networks.
When an issue like this is discovered, it is normally exploited extremely quickly.
Fixing critical vulnerabilities fast is therefore essential.
In the update, the rules around vulnerability fixes will change.
Organisations must demonstrate the ability to apply high and critical vulnerability fixes within fourteen days of discovery.
Any inability to meet this strict service level agreement will result in an automatic failure.
For those teams that currently struggle to implement patches within thirty days, completing these moves in half the time might seem insurmountable.
However, it is vital to understand that the standard requires “vulnerability fixes”, which provides a degree of operational flexibility.
Under this language, a fix includes any robust
mitigation applied while a patch undergoes internal testing, covering configuration changes, registry updates, disabling vulnerable services or deploying specific scripts.
So, behind the harsh deadline, there is a specific business objective to help organisations neutralise immediate threats.
Preventing that initial exploitation is essential to how Cyber Essentials is designed.
There are also changes to how Cyber Essentials Plus is audited in practice which will make it a much closer representation of real world security pressures.
For example, Cyber Essentials assessments previously relied heavily on documented policies and assertions and sampling for audit checks was limited.
In the new version, audits will be conducted live for technical proof with authenticated scanning and continuous validation.
Alongside this, samples were previously notified well in advance of the testing date; now, the maximum amount of time is three days, to prevent teams artificially hardening their systems.
During self-assessments, any faults found could be remediated during the audit process so the organisation could match up with its overall approach.
This meant that you could find a problem, fix it and still get accredited.
However, this is no longer allowed; no changes will be allowed during the technical test once it has started.
Similarly, if a sample device was audited and failed, fixing that specific device would be enough for remediation under the previous rules.
Now, the organisation has to remediate all devices for that problem across the entire organisation before re-testing will be allowed.
On top of this, the assessor would previously only re-test the original failed sample – now the assessor will retest that sample and another random device.
This set of changes is all about demonstrating that the rules are being followed at scale, rather than on specific devices prepared for the audit.
As a standard, Cyber Essentials aims to raise the baseline for security across UK organisations of all sizes.
It provides a set of actions to take that is both practical to implement and able to cover the vast majority of potential attacks.
Applying these controls drastically reduces your overall operational risk profile.
For any company looking at their investment around this, begin by looking at how much you stand to lose from an incident.
This does not involve looking at worst case scenarios, but at what exactly would come from an issue taking place and affecting your ability to work.
How much revenue would you stand to lose? Being able to quantify that cost, or Value at Risk, gives you a good starting point to understand how much Cyber Essentials or any security programme can deliver.
This also gets you away from IT security being seen as a cost out of context, or as a line item that only ever gets bigger.
Instead, look at how you can implement better operational hygiene that mitigates the most probable, immediate risks before they can be exploited.
By making security “business as usual” rather than additional expense or a hurdle to overcome, you can prevent many of the most common attacks before they start.
Cyber Essentials provides that framework for where to start, but more importantly, how to stay secure over time.
Even as specific elements in the standard change – for example, applying fixes and patches faster – the overall goal here is to prevent those problems as much as possible.
