27.One of the key areas of the inquiry was to examine the adequacy of the supervisory, regulatory and enforcement regimes currently in place to ensure companies are responding sufficiently to cyber-crime. We received evidence from the DCMS which stated:
The Cyber Essentials scheme sets out the technical controls organisations should have in place to demonstrate that they are following a basic level of “good practice” in terms of their cyber security. Once implemented, the scheme provides a base level of readiness for the organisation to defend itself from internet-based attacks. However the Government’s expectation is that larger organisations and those that hold large amounts of data would need to undertake other measures above and beyond those included in the Cyber Essentials scheme. One such measure is the Ten Steps to Cyber Security, which is a more comprehensive piece of guidance that assists companies take the appropriate steps they need.
28.Not all of our witnesses were convinced about the effectiveness of Cyber Essentials. The British Business Federation Authority (BBFA) highlighted divisions within the security community, stating
All agree it sets a low bar; some believe it is better than nothing, but others believe that it provides a false sense of security. This issue would be ok if the UK Government were working with industry to develop cyber-security methodologies at higher levels of assurance, but it is not.
29.In written evidence, the Federation of Small Business supported Cyber Essentials but voiced a number of concerns, particularly concerning “how it establishes and implements security controls without first identifying the assets, vulnerabilities and risks an organisation faces…the human factor is also a major consideration.” Dido Harding told us that she was not sure if Cyber Essentials was a good enough benchmark. In written evidence, TechUK highlighted that neither Cyber Essentials nor the 10 Steps make any reference to encryption, or the hashing and salting of passwords. The Cyber Essentials scheme was established in 2014 and has not been updated since then to take account of emerging technology and new hacking approaches.
30.We note the evidence from Federation of Small Businesses and BBFA concerning the weaknesses of the Cyber Essentials scheme and the comments from DCMS that other measures beyond Cyber Essentials would be expected for larger organisations. We support the aim of the UK Cyber Essentials scheme and we recognise that no certification can provide 100% guarantee to prevent cyber-attacks. We think that Cyber Essentials provides a good check list for small and medium sized firms but needs revision in light of the recent experience of cyber-attacks, particularly the probability that 90% of large organisations will experience a cyber-attack and the growing problem of cyber-ransom demands. We note that Get Safe On Line, supported by the Government, includes guidance on developing business security and recovery plans, and that current advice is to update the business security plan within 6-12 months of the first test. Cyber Essentials should be regularly updated to take account of more recent attacks, including the need for security, incident management and recovery plans and processes for responding to cyber-ransom demands.
49 Dido Harding oral evidence Q94
50 TechUK This means applying algorithms to passwords
17 June 2016