The Cyber Essentials assessment has been described as a good starting point, but it should be seen as the bare minimum and not just an effort to meet Government contracting requirements.
Speaking at IT Governance’s conference in London, Alan Calder, founder and CEO at IT Governance, said that while he welcomed it, Cyber Essentials was only giving “the minimum level of implementation” but the benefits of implemnentation were survival as most companies do not deal with basic threats, but it was a demonstration to customers and staff that you take cyber security properly.
He said: “Organisations are not spending enough to close issues and are doing the wrong thing; they are spending on a knee jerk reaction to what they last suffered. If they had a malware infestation but they didn’t see a plant of APT software on network, so they rolled out investment in password control and anti-vuirs to make sure it didn’t happen again, but vulnerabilities went on existing and business was too locked down.”
Also speaking at the event, Sarb Sembhi, chair of ISACA GRA committee and director of Storm Guidance, said that he felt that Cyber Essentials was a small part of what the Government was trying to do, and while it was important and a brilliant idea, it was a starting point.
“We do need it, but it is a checklist, and anyone can check things, but it is done at a point in time to check and it is like an MOT in the way that it works,” he said. “The basics are there to help protect you from attacks and breaches, and this starting point measures you at a point in time. But threats are evolving continuously and Heartbleed issues are still not fixed, while risks are changing and hacker tools getting better, and we have to get better at securing.”
Sembhi called for a an assessment to assess business in the changing risk landscape. He said: “I believe this is what the Government is going towards, and many are not doing that so I don’t know how they expect them to do this. There should be a capability to look at maturity and what is an organisation’s maturity to risk and roadmap from what we have at the moment to a mature security assessment.”