What the UK's revised security guidelines mean for business [Q&A]
Changes to the UK government's Cyber Essentials security certification scheme come into force today. They include things like guidelines on remote working and hybrid approaches, rules for cloud service accounts -- such as deploying multi-factor authentication -- and speeding up critical patch deployments for critical and high severity vulnerabilities
We talked to Karl Alderton, technical account manager at security and compliance specialist Qualys to find out more about how these changes will affect businesses and what they need to do in response.
BN: What should people know about the changes to Cyber Essentials?
KA: This is the largest set of changes in the Cyber Essentials framework that we have seen so far. Whilst Cyber Essentials has always seen mixed views within the security community, there is no doubt in my mind that there is value in achieving the certification as it ensures many of the basics are being done correctly.
What those basics should be has changed over the past few years, based on all the actions that companies have had to take to carry on during the pandemic. The additions and changes to the technical controls will make it easier for companies to keep their remote workers secure, to improve security around their cloud services, and keep their operations going around new hybrid working practices.
The key thing to remember -- and it is the same as with other frameworks such as ISO27001 -- is that achieving compliance doesn't mean that everything is secure forever. It isn't the end game, but compliance does help you improve.
Organizations are unlikely to have the time or resources to be utilizing multiple vendors, cross referencing data, monitoring remediation in multiple places and then reporting on successful compliance. This will lead to more consolidation using services that provide all the crucial data in one platform, whether that is vulnerabilities from mobile, servers, end user devices or the cloud, or software inventory across the estate. With this approach, teams will have the detection capabilities needed to achieve the required visibility.
BN: So, what are these big changes?
KA: The most obvious change is around remote working, and how companies check their employees are secure outside the usual company network. It’s important to understand what is in scope -- home network devices including routers supplied by ISPs for example are now not covered, which is a positive change in my opinion. It was always going to be challenging for organizations, particularly small businesses to cover all those devices. Home laptops and desktops are in scope. Therefore, to be able to comply with Cyber Essentials Plus, you will have to take an agent-based approach to assets and software inventory as well as vulnerability management. This is crucial, as without an agent, you will not have the required visibility to ensure you comply.
All Cloud Services are in scope for Cyber Essentials now too. A vast number of successful attacks are due to vulnerabilities and misconfigurations in the cloud, because people commonly assume that cloud services are secure, when they have responsibility to check on those services. Making this change makes this responsibility clearer, and you can’t just rely on the cloud provider for this in future.
Often different teams are responsible for cloud services compared to the traditional on-premises server estate and end user compute, which makes managing and reporting on a single framework difficult. Organizations will need to evaluate the tools currently being utilized and look for solutions that enable end to end reporting across all environments. This will ensure the necessary level of visibility and that reporting is standardized.
Organizations also need to see and understand all software within their environment, whether this is open-source or licensed software. Organizations will need to ensure they have 100 percent visibility of all software used, whether that is in the cloud, on an endpoint or running on a server. A crucial element here is forward planning, understanding what software is going end of life or end of support, allowing the organization to plan ahead of certification. It is also crucial to have visibility of unsupported software, to ensure this is removed from the devices in scope.
BN: What other changes should IT teams be aware of?
KA: Mobile devices like phones and tablets that connect to any organization data or services are now in scope, whether they are connecting over mobile networks or directly to the corporate network. With these devices now covered, organizations are going to need to have visibility of software lifecycles and vulnerability information on them. The biggest challenge here for organizations is those that allow BYOD -- are users going to allow their companies to implement Mobile Device Management or Vulnerability Management solutions on their personal devices? For many companies -- and users -- this will mean more discussion of what users are happy to allow.
In the past we have also seen organizations only include servers within the scope of Cyber Essentials, but this is no longer acceptable. The scope must now include end-user devices, which in my view is a crucial step. Whilst I don’t quite buy into the trope that the user is the weak link in security, we know attackers are targeting end user devices, so this threat should not be ignored.
BN: What will the biggest change in processes be, due to Cyber Essentials?
KA: I think the biggest change will be around software updates. All of the software on in-scope devices must be licensed and supported. In practice, this means that applications and operating systems must have automatic updates enabled where possible, or be updated within 14 days of the patch being released, if the vulnerability has a CVSS v3 score of seven and above or is described as critical or high risk.
If we look back at how long organizations are taking to remediate currently -- on average, that is around 200 days -- the challenge here is for organizations to adopt and trust an element of zero-touch patching, where updates are automatically deployed out to users without testing first. Very few organizations achieve this today. These changes are going to be a challenge for organizations, there is no doubt about that. However, as I previously mentioned, the majority of this would be associated with basic cyber hygiene, so this should help improve security for many organizations.
BN: Any other thoughts on what this move means?
KA: The biggest concern I have, and I hear the same comment from both private and public sector organizations, is how Cyber Essentials doesn't allow for individual organizations to account for risk based on their needs and goals. For example, understanding the risk associated with ransomware on my servers could mean that preventing attacks on them would be a higher priority for the organization than resolving that CVSS seven patch deployment in a 14 day period.
If we look at the state of play, certainly when it comes to managing end of life software and vulnerabilities, very few organizations are really on top of this. We see an industry average of over 200 days to remediate critical vulnerabilities, we see vulnerabilities mapped to remote code execution and denial of service where patches already exist, and we see companies running unsupported software throughout their organizations. Similarly, we can see upwards of 100 vulnerabilities per device when we engage with companies on building out a Vulnerability Management program. That is a lot of potential problems that need to be fixed.
This is where Cyber Essentials comes into play. The more organizations that do the basics well, the more difficult it gets for the attackers. This means less successful attacks like ransomware, which leads to less funds for attackers and the safer we all become.