Cyber Essentials, a government-backed, industry-supported scheme to help organisations to protect themselves against common cyber-attacks was launched in June 2014.
It is a set of basic technical controls for organisations to use, but whether these are suitable for all businesses is a subject of debate.
At Computing’s Enterprise Security & Risk Management Summit in London today, several senior IT experts debated whether or not the programme was worthwhile for small and medium businesses (SMBs).
Andy Boura, senior information security architect at Thomson Reuters, believes that the scheme is a good way for SMBs to get on the right path in terms of their information security strategy.
“It’s really good hygiene practices – it’s patching, it’s lockdown, anti-virus, all of the basic stuff,” he said.
“Most breaches are caused by not doing the basic things. So in terms of what SMBs can do they can start by looking at that and ticking all of those boxes – but not just ticking them in terms of compliance but really understanding why those things are listed and ensuring that they are being applied in a sensible way,” he said.
But Dean Atkinson, global head of cyber security operations at the Thomas Cook Group, believes that while Cyber Essentials and other schemes such as the government’s 10 steps programme are good activities, they aren’t for every SMB, and are definitely not for Thomas Cook Group.
“In terms of mitigating risk, I would postulate that there are other activities that we could conduct that would decrease our risk for less money than some of those steps,” he said.
“Some of those are notoriously difficult, such a identifying all of your software, assets and end points. I’ve worked in a lot of organisations over the years and I don’t know many who do that,” he said.
The University of St Andrews is taking part in the Cyber Essentials scheme, and its CIO, Steve Watts, said it’s a worthwhile initiative.
“It’s a quick posture-check in terms of what our environment looks like. It’s aimed more at smaller businesses, but it does help to demonstrate and shift the culture in the organisation in terms of what is important,” he said.
Thomson Reuters’ Boura suggested that the issues covered in Cyber Essentials are those that every organisation should consider as a starting point.
“It’s a bit like saying to make brain surgery safer we need the latest and greatest scanners but you don’t need to wash your hands; it’s just not the case that you can ignore the essentials because if you don’t get those fundamental elements in place, and follow everything, then no matter how good the security is of all of the sophisticated tools you give to people, it’s all for nothing,” he said.
But Thomas Cook’s Atkinson said that he wasn’t questioning the importance of Cyber Essentials or other similar frameworks, but suggesting that there were alternative activities that may deliver benefits faster.
“If it’s a company that has a global footprint with a number of subsidiaries, and complex third-party delivery environments, then some of those activities can cost tens of millions of pounds and take many years, so I’m just suggesting that there are other activities you can do to mitigate your risks more quickly,” he said.