UK gov’t looks to simplify security certification process for contract bidders

Today marks five years since the launch of the UK government’s Cyber Essentials scheme, which is designed to help British organizations protect themselves against common online threats.

In the time since the program was introduced, almost 27,000 British businesses have been awarded with certificates to prove they are security compliant.

But as it enters its fifth year, the government agencies responsible for administering the certifications are looking to improve the scheme’s accessibility.

Cyber Essentials has been criticized in the past by small and medium enterprises (SMEs) in particular, which, according to the Department for Digital, Culture, Media and Sport (DCMS), have historically found it more difficult to implement the required policies and procedures.

In order to be certified, businesses and organizations must prove that IT standards are suitably secure – a process overseen by an accredited certification body.

This can be a particular problem for those companies that don’t have the financial or workforce resources to prioritize security.

It can also be a problem for smaller firms, such as start-ups, looking to sell to the UK government. Cyber Essentials certification has been a mandated requirement for all public sector contract bidders since October 2014.

One solution is to refine the way that smaller businesses can adopt Cyber Essentials, head of the DCMS Cyber Security Incentives and Regulation Team Emma Green told delegates at the SC Congress recently.

“It needs to be more nuanced, to describe what ‘good cybersecurity’ looks like for different organizations with different circumstances. Patching within two weeks can be very difficult to achieve for smaller SMEs,” she said.

The use of the term ‘simplified’ has led some industry professionals to voice their concern, such as Andy Kays, technical operations director at Redscan, who told The Daily Swig he “doesn’t want to see controls relaxed on matters as important as patching”.

What lies ahead for the next five years of the Cyber Essentials scheme remains to be seen.

The UK National Cyber Security Centre (NCSC), though, told The Daily Swig that it won't compromise on the “rigour of certification”.

An NCSC spokesperson said: “Since its inception, Cyber Essentials has awarded over 26,500 certificates to organisations who have proved they are protected against a wide variety of the most common cyber incidents.

“We want to help even more organisations to benefit from this scheme, so without compromising on the rigour of certification, we are looking to simplify the process, as well as assessing the technical controls so they remain fit for purpose.

“The NCSC is committed to nurturing the Cyber Essentials scheme towards fulfilling its role in helping to make the UK one of the safest places to live and do business online,” the spokesperson added.

RELATED gears up for phase two of Active Cyber Defence