How does automation increase the quality of Cyber Essentials?

An organisation can be assessed against Cyber Essentials 5 controls, using machines rather than humans.

To a certain extent, this is already being done with Cyber Essentials Plus certification, although the analysis and interpretation of results are currently done by a human being, which makes it both time consuming and expensive.

This part can also be automated. Checks against the current test specification can be automatically interpreted: secure configuration; boundary firewalls and internet gateways; patch management; and malware protection can all be objectively checked.

In some cases, e.g. policies for access control and administrative privilege management, a few simple questions are required.

Everything else can actually be assessed automatically without the need for a consultant.

How will automation increase quality?

Critics of the current scheme cite 3 principal quality issues:

  1. Inconsistency - due to differing approaches across the 5 Accreditation Bodies
  2. Lack of flexibility – due to inexperienced, often non-expert, Cyber Essentials assessors
  3. Partial coverage – due to the limited scope of assessments

Automation by its nature can potentially address all 3: -

  • By adopting a single consistent and transparent approach, based upon a common automated test specification, accreditation bodies and end-users alike can have confidence that standards are being met consistently.
  • By capturing appropriate analysis created by experts with an appropriate level of cybersecurity knowledge and experience, and committing that to software, automation can reduce the scope for error and omission.
  • Automated services can also cope with scale much better than humans – instead of testing less than 10% of the IT infrastructure, why not test everything in the estate? Even the equipment that cannot, and could never realistically hope to pass an assessment (an MRI scanner running Windows XP) can be brought into scope and be risk managed accordingly.

Needless to say, there are other ways in which automation can increase quality. The first and most obvious one is to potentially dispense with the self-certification based upon subjective answers. In other words: why bother with basic Cyber Essentials, a standard of debatable value due to its subjective nature, when you could have an objective, evidence-based standard, for less effort?

The next and most obvious possibility created by automation is that of continuous compliance. If computers are answering the Cyber Essentials questions, why not ask them to do so 365 days a year, rather than just once?

How will automation lower barriers to adoption?

Automation offers the potential for expert knowledge to be embedded within a managed service, and to be made available to a non-expert user. This makes the Cyber Essentials scheme accessible to small and mid-sized businesses currently lacking the knowledge to self-certify, but reluctant to pay for expensive expert consultancy.

For larger organisations, also unwilling to break the bank with third-party consultants, automation provides them with the autonomy to self-certify on a business unit by business unit basis, rather than on a monolithic basis. Decisions related to scope can be left to the end users and their service providers, rather than to assessors who lack the knowledge to flex the scope based upon sensible, risk-based decisions.

The key to driving adoption is, therefore, to place more power into the hands of end users and to move away from the idea that end users require intervention from cybersecurity experts, particularly when questions exist as to how competent those experts might actually be. End users should be able to self-certify for Cyber Essentials Plus; the challenge for NCSC and its new partner will be to ensure that automated tools and services are assured.

 

How will automation reduce costs?

The cost of an annual Cyber Essentials Plus certification was around £3,500 for XQ Cyber. An automated service could not only reduce that price to less than £1,000, but it could also deliver twelve times the value by assessing the end-user continuously (monthly would be enough) throughout the year. By removing the human being from the initial phases of certification (identifying the issues to be fixed), end-users can instead focus on addressing the issues and putting processes and procedures to make those fixes less costly to implement. 

Additional wins

For Governments, the potential big win offered by automation (other than increased adoption) is increased visibility. Automation offers the possibility of introducing scoring, analysis and trending data; the kind of learning that can be used to inform policy and shape the guidance offered to end users. For example, automated services could identify: -

  • How the public and private sectors compare in terms of security posture and scheme compliance;
  • Regional, sectoral, vertical variations and special challenges faced by each;
  • Average days per annum compliant / non-compliant;

Unless something is done to address the lack of adoption, the scheme will, in our view, probably die, or be diluted to the point of adding no business value. The demise of the scheme would be a disaster, not so much in terms of embarrassment for NCSC, but more in terms of the cybersecurity of the nation.

If we can’t find a way to allow large numbers of public and private sector organisations to demonstrate conformity to 5 technical security controls, then the UK will remain acutely exposed to commodity cybercrime, whose own growth figures are depressingly exponential. 

Want to learn more about CyberScore? Visit our website to book a demo.

For Further Reading

XQ Cyber set to revolutionise Cyber Essentials Plus with CyberScore™

Using automation to increase Cyber Essentials adoption (And raising the bar while we’re at it.)

The Business Benefits of Cyber Essentials Certification

 

Follow us on FacebookTwitter and LinkedIn and sign up to our newsletter