Government Launches ‘Cyber Essentials’ Security Certification

The UK government has launched a new certification scheme designed to help consumers establish whether an organisation has implemented basic cyber security measures.

Developed by the Department for Business, Innovation and Skills (BIS) a ‘Cyber Essentials’ certificate shows that the company is protected by firewalls, runs anti-malware solutions and understands the importance of frequent patching.

This certificate will play a part in the government’s IT procurement process. However, it doesn’t tackle advanced security features like encryption or two-factor authentication.

“The recent GOZeuS and CryptoLocker attacks, as well as the eBay hack, show how far cyber criminals will go to steal people’s financial details, and we absolutely cannot afford to be complacent,” said Universities and Science Minister David Willetts as he launched Cyber Essentials.

Back to basics

Developed in partnership with the UK security industry bodies, Cyber Essentials lists requirements for basic technical protection from cyber attacks. These include boundary firewalls and internet gateways, secure hardware configurations, access control, anti-malware protection and patch management.

According to The Telegraph, BAE Systems, Barclays and Hewlett-Packard are among the first major companies applying for certification. From the beginning of autumn, suppliers bidding for certain sensitive government contracts will be officially required to hold a Cyber Essentials certificate.

Certification is available to businesses, non-profits and government organisations. It will come in two versions: a regular Cyber Essentials certificate can be obtained after a quick self-assesment with third-party verification, but to get more reliable Cyber Essentials Plus, organisations will have to submit their systems for independent testing.

It is hoped that Cyber Essentials will help raise the confidence of consumers when shopping online, at a time when increasing numbers of familiar brands fall victim to hackers.

For example, last week High Street footwear retailer Office admitted that hackers had breached its website and gained access to customer details including names, physical addresses, phone numbers, email addresses and passwords, which were apparently all stored unencrypted.

The announcement was generally welcomed by the security industry. However, some experts have warned against relying on Cyber Essentials as a serious benchmark for network and data protection.

“This badge of approval from government could mislead businesses into believing that they are completely covered in all aspects of cyber security – when in fact, the Cyber Essentials Scheme concentrates on just five “basic but essential” security steps,” commented Ashish Patel, regional director of network security at McAfee.

“There are a number of stealth-like advanced evasion techniques employed by hackers, which can go undetected on an enterprise’s network for weeks or even months at a time. Businesses that believe they are secure, yet aren’t aware of this sophisticated threat, could be leaving themselves vulnerable.

“It’s important the government is clear in their message that businesses who are accredited by the scheme will still have to update their security defences regularly to stay on top of the changing threat landscape. If not, the only essential thing businesses will need is damage control.”

How well do you know network security? Try our quiz and find out!