CE+ – Get the essentials right!

With cybersecurity high on the public sector agenda, the UK government has been strengthening its position over the last few years. The most significant investment was its National Cyber Security Strategy (NCSS) which committed £1.9 billion of funding over a 5 year period including the creation of the National Cyber Security Centre (NCSC) and the Suspicious Email Reporting Service (SERS). In 2020 alone, NCSC helped over 1,200 organisations handle cyber-attacks and used SERS to takedown 22,000 malicious URLs and 9,300 malicious web links.

The Centre has helped foster better cyber security across the public and private sector through the creation and promotion of Cyber Essentials Plus (CE+), an industry-supported scheme to help organisations protect themselves against common cyber security threats. CE+ is based on a set of controls that can defend organisations against 80 percent of common cyber-attacks and includes a technical audit, an internal and external vulnerability assessment plus the potential for a random on-site audit.

To give it more teeth, the government has also stated that to bid for certain contracts, an organisation must be Cyber Essentials certified or to be able to demonstrate that its technical controls are in place. A derivative of the scheme has also been applied to the NHS through its Data Security Privacy Toolkit (DSPT), an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.

More importantly, all organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

It seems likely that the adoption of CE+ and DSPT is part of an ongoing trend to encourage public sector organisations and the respective supplier community to adopt a benchmark level of security. The ‘carrot’ for suppliers seems to be access to public sector contracts yet this might turn into a ‘stick’ as optional standards shift to compulsory mandates over the next few years.

This is vital as the Government’s own Cyber Security Breaches Survey 2021 found that four in ten businesses (39 percent) and a quarter of charities (26 percent) report having cyber security breaches or attacks in in the 12 months to March 2021.

Understanding CE+

At a practical level, there are five key areas that CE+ covers. These start with networking control that focus on the configuration and deployment of firewalls and routers along with defining best practice around what types of traffic should be allowed onto the network.

Software updates define processes for keeping software including operating systems patched with the required updates. This is vital as a 2019 survey found that one in three IT professionals (34 percent) across Europe admitted that their organisation had been breached as a result of an unpatched vulnerability.

Malware protection is the third aspect of CE+ and provides guidance on the installation and proper configuration of anti-malware software along with assigning accessibility to only trusted applications.

The access control portions of the framework cover how to define, assign and control administrator accounts to restrict who has access to sensitive data and services.

The last major section provides guidance around secure configuration that defines how to design and install computers and network devices to reduce unnecessary cyber vulnerabilities. Although the scheme does not go as far as mandating a full scale “zero trust” methodology where all connections between users, systems and data require validation attestation – it does demand that adherents authenticate users before enabling Internet-based access to commercially or personally sensitive data.

Skills and services

In terms of how organisations meet the standard and pass the external audit, the biggest challenge has often been human resources.  According to the government’s own research, the UK’s cybersecurity recruitment pool has a shortfall of 10,000 people a year.

As a result, more public sector organisations are turning to third parties and managed security services providers to help deliver against the five key areas of cyber essentials. This process has been given a boost by the growth of suppliers under the Crown Commercial Services Technology Services 3 (RM6100) framework which has made it easier to access a diverse portfolio of cyber security, networking products and services via the platform.  One key feature is the ability to purchase services, including the consultancy aspect needed to prepare for the CE+ audit via simplified contract terms and per user pricing models.

Although the skills shortage and lack of standardisation around cyber security skills is still an ongoing challenge, 2021 also saw the launch of another government backed initiative that will help through the UK Cyber Security Council.

Initially funded by the DCMS, the new body aims to create a single governing voice for the industry to establish the knowledge, skills and experience required for a range of cyber security jobs, bringing it in line with other professions such as law, medicine and engineering. Although at an early stage, if it follows the pattern of these other professional bodies with their “Chartered” Institute model – this ultimately helps disparate cyber security skills to become unified under a standard “equivalency” model and reduce the skills gap.

There is still more to be done within the public sector and spectres such as the massive breach at the Irish NHS last year serves as a constant reminder to the perils of inaction. CE+ and DSPT are useful frameworks that provide a roadmap to help organisations build towards best practice and should be welcomed by every organisation as a benefit rather than a burden

Steve Nicholls is commercial director, NetUtils