Trickle-down cyber economics: UK hails success of Cyber Essentials certification scheme

A decade on from its launch, the British government has announced it is delighted with the Cyber Essentials certification scheme, despite cyberattacks in the country being at record highs.

In a speech on Wednesday marking the anniversary, cybersecurity minister Feryal Clark hailed how an independent impact evaluation also published on Wednesday detailed the benefits the scheme brings to the companies and institutions that use it.

“Recent insurance data shows us that organizations with Cyber Essentials are 92% less likely to make a claim on their insurance than those without it,” she said, adding: “In short, Cyber Essentials is working.”

But, out of more than 5 million eligible organizations in Britain, as of the end of this February just over 31,000 held a certification — fewer than 1%.

Joseph Jarnecki, a research fellow at RUSI, said: “There are some promising points, looking at some of the results the government is seeing from organizations that are Cyber Essentials certified, but given the fact that take-up remains so low, it’s hard to know whether or not the scheme is value for money.

“Given the take-up and the scope of the potential take-up, it has not met what its potential could have been and could still be,” Jarnecki told Recorded Future News.

Feryal acknowledged in her speech: “We now need more organizations to embed the Cyber Essentials controls.” The plan, as she explained, was for larger businesses to embed it in their supply chains, by “requiring suppliers, or other third parties, to have Cyber Essentials themselves.”

Spearheading the trickle-down cybersecurity approach is a group of some of the country’s largest banks, who in another Wednesday statement jointly released by the government and the National Cyber Security Centre, pledged to incorporate Cyber Essentials into their supplier requirements.

The move may foreshadow new obligations to come in the Cyber Security and Resilience Bill, expected to be introduced to Parliament next year, which the government said will update the country’s cybersecurity laws to protect supply chains.

The model is that directly regulated entities, tending to be the prime contractors in various critical sectors of the economy, will through their requirements trickle down cybersecurity standards to the other organizations they depend on.

While the Cyber Security and Resilience Bill “will have a significant impact on enhancing the cyber resilience of the UK,” it “must be complemented by other efforts to improve cyber security across the wider economy,” said Feryal.

Read more: The struggle for software liability: Inside a ‘very, very, very hard problem’

Targeting the most significant economic entities could drive adoption somewhat, and of course making Cyber Essentials mandatory for British organizations would also increase take-up, but Jarnecki cautioned: “I don’t know if it would justify the costs incurred [to enforce].”

“It seems to me that we’ve been overly cautious with regard to regulation,” said the RUSI researcher.

“Market incentives have not demonstrated themselves to work for the cybersecurity of software products. We’ve seen recent high-profile incidents where cybersecurity companies themselves have made sacrifices in the pursuit of quicker updates, more efficient products,” he added.

“The anxiety I have is around the amount of carrots that have been used to incentivise activity, and they haven’t been accompanied with any sticks.”