Implementing cyber essentials plus in a tech team.
CyberEssentials+ is a scheme in the UK for assessing, and validating basic cybersecurity stance within your business.
You are given a list of security requirements that you must be compliant with, then an external third-party auditor comes in to ensure that you are indeed compliant, before issuing a certificate that must be renewed yearly.
At the time of writing, this certification process is about £1800 a pop, depending on who you go with.
There is also the standard CyberEssentials. Which excludes the auditor, you self certify and costs closer to £500 a year. Which is fine if you are genuinely just trying to improve security in your business, but I wouldn’t take it as a stamp of trust from a would be supplier. As, anyone can lie to get this self accreditation.
About Us
So Carnedd are based in NW wales, at the time of writing we were a team of four programmers.
We recently went through Cyberessentials+ to qualify for certain government contracts that we were bidding upon.
We delayed doing this for some time, as it seemed the Cyberessentials+ programme was aimed more at hairdressers, and accountants than it was at tech teams.
However, we needed this compliance for contracts, so we set about it. Here are some things we learnt along the way.
1) There is a big difference between someone who can assess your compliance, and somebody who can consult on it
We had some quite specific requirements, due to the way our programmers work. Specifically relating to how they need root access to their machines on a semiregular basis just to be able to do their job.
Root access to machines is an instant fail on one of the compliance points of the assessment, so before we committed to the cost, we started phoning around Cyberessentials+ assessors.
This actually turned out to be quite a good measuring stick for assessing auditors. As what became clear, is that there is a big difference between someone who can tick a box to say you are compliant and somebody who can actually consult on making you compliant.
I must have spoken to over half a dozen people before somebody actually had the technical skill to be able to answer my question; needless to say, we went with them.
Only 1/6 of the people I spoke to were able to consult, not just tick boxes, so it does make it feel like the scheme is the blind leading the blind somewhat.
2) Whether you are compliant with specific requirements can depend on who your assessor is, and which way the wind is blowing
Having recently witnessed a panel of assessors discussing Cyberessentials+, it’s clear what constitutes a pass on some criteria clearly varies between them.
Each interprets the requirements in their own eyes, and each can have a different level of flexibility on if you are compliant. Seemingly, it could literally be based upon their mood or the direction of the wind.
3) It is much harder to implement in a dev team than it is in most other sectors
Developers constantly need to be installing new software and packages on their machines, as well as accessing the machine as root to be able to do their jobs.
There are workarounds to all these problems, but they are just that; workarounds.
It also increases paper work and reduces the autonomy of individuals, as they need authorisation to do tasks that are required in their day-to-day work. This took some adjustment and getting used too.
4) It increases your operational overhead
Aside from the cost of the assessment, there are other costs involved. Firewalls, device management, more expensive software packages with higher security levels. It all starts to add up quick.
For a team of four programmers, I would suggest it is costing about £5-6k a year in literal and human costs to keep the compliance up.
Don’t get me wrong, it’s still cheaper than a cyberattack. But for smaller businesses, it is a big overhead.
5) It doesn’t necessarily translate into more work
As a team of experienced programmers, we are always looking to separate our skill set from others. I did think that this accreditation may help.
If it has helped, it’s not obvious. The reality is, most people still do not care about their own security, let alone yours.
If you go for this accreditation hoping it will unlock a flood gate of additional work, you are probably mistaken.
6) It does absolutely improve your overall security standing.
I feel like I have done a lot of moaning here. But the reality of the situation is that it absolutely improves your security stance.
Our staff are better trained, our systems are more secure, and our attack surface is reduced. I can understand why this is a minimum requirement for government projects in the UK.
Takeaways
Cyberessentials+ is a lot of faff, and to the technical capable it is clearly full of contradictions. But nothing in life is black and white, something can be simultaneously good and bad.
The cost is also much higher than just the cost of just the assessment, and you should bear this in mind when budgeting. As holding the certification alone is no guarantee of increased work, even if it is a prerequisite for some contracts.
However, overall all Cyberessentials+ does improve security stance, and if more people implemented it, the nation's security would be vastly improved.