It was announced today that by Digital Economy Minister Ed Vaizey (follow this link to the full document) that :
The UK’s 350 largest businesses – FTSE 350 firms – are being urged to take part in the free Cyber Health Check to help them understand and improve their level of cyber security. Companies will receive a confidential, tailored report enabling them to understand boardroom trends, compare themselves to their peers and address any weaknesses identified. The health check also generates aggregated data showing how well the top UK companies are performing.
Now, feel free to correct if we are completely wrong but surely a FTSE 350 company must currently invest significant funds into their IT infrastructure, staff, policies and procedures, training and everything “cyber” to make sure they can function – so how come they qualify for a free confidential tailored report yet nothing similar is offered to SME’s who will need this type of report to help them progress as a business?
@BusinessGov did respond to our tweet mentioning a closed Innovation Voucher Scheme that may reopen (but then again it may not), but this is a lottery, there is no guarantee that after doing an application for something that may be a key part to your small business succeeding you can actually get the funding you need (bearing in mind you have to pay your supplier and then claim it back if you are successful !)
We were grateful to see that IASME agreed that SME’s need the funding to help them become more aware and compliant.
But moving on and playing “What if”…..
Now, it is our understanding that for to bid for certain types of Central Government contracts that “involve handling personal information and providing certain ICT products and services” (link to full document here) that it is mandatory for bidders to have Cyber Essentials certification. It is also recommend that this level of certification should be adopted by others (and from this we assume Local Authorities, Businesses etc).
The Cyber Essentials scheme comes in two flavours, the self assessment “entry level” and the more complex Cyber Essentials Plus. Full details on the scheme and details etc are available here.
As a rough guide, Cyber Essentials would cost roughly £300 and Cyber Essentials Plus costing from £1000+ but this does not include any of the time to writing the necessary policies, fully understanding the requirements and procedures (training) or keeping them up to date. The fees are annual, so think of it as a Digital MOT – technically only valid on the day of the assessment unless you commit and implement everything on a daily basis.
In theory this is a great idea until you look at some practicalities in terms of the Micro/Small Business , especially if the scheme was to be rolled outside the Central Government procurement process.
Most Small IT Businesses start by ordering a PC or two, a broadband connection and plug in and go.
They can do their job, they can make money to help grow the business. Employ more staff, buy more PC’s, create a network – again, a simple plug and play affair these days.
They may need external IT assistance occasionally if problems occur, but on a day to day basis, why do they need to pay for another member of staff to be on hand “just in case” ?.
They write their code/website/database/application/do support/etc and they are good at what they do.
Taking the Government recommendation that Cyber Essentials certification should be adopted by others, so for our example we’ll pick Local Authorities. “IT” Projects would need Cyber Essentials certification for businesses dealing with projects that dealt with personal information. This style of project could be as simple as a website where users are allowed to fill in a contact form, not exactly a high tech IT project.
Now the company bidding for the contract may use IT tools that would be applicable for the project they are bidding for, yet they may not know what to do if their network failed or their email was compromised.
If you were not a IT Geek, would this make any sense to you ?
- “Have all commonly attacked and vulnerable services (such as Server Message Block (SMB) NetBIOSm tftp, RPC, rlogin, rsh, rexec) been disabled or blocked by default at the boundary firewalls?”
- “Have all open ports and services on each firewall (or similar device) been subject to justification and approval by an appropriately qualified and authorised business representative, and has this approval been properly documented?”
- “Has all unnecessary software, including OS utilities, services and applications, been removed or disabled”
- “Are users prevented from running executable code or programs form any media to which they also have write access?”
The Cyber Essentials questionnaire covers a wide range of security topics as you would expect but IF the certification scheme was to apply to Local Government/Authorities/Departments procurement procedures – the level of knowledge required to pass at basic level may automatically disqualify a lot of Micro and Small Businesses.
Hands up – it’s all examples, conjecture and Devil’s Advocate but….
Whilst education is the key, if something isn’t relevant to your core business do you spend the cash and try to maintain your in-house IT Systems to the required “standard”, do you pay someone else to do it, do you ignore any local authority style procurement if adoption of Cyber Essentials made it that far?
We’re not sure what the answer is (yet), but giving away an undisclosed sum of money for a “Free Cyber Health Check” to the FTSE 350 companies who should a) be in a position to pay for it and b) being “cyber health checked” on a regular basis, isn’t going to help support or educate the Micro and Small Businesses with the necessary “Cyber” skills potentially needed in the future.
Update 19th November 2015 – Apparently the Cyber Security Innovation Vouchers – Round 14 is still open until 5th January 2016. More information on the Innovate UK website