Why aren’t businesses baselining their security?

By David Adams, Security Consultant at Prism Infosec.

  • Monday, 5th December 2022 Posted 1 year ago in by Phil Alsop

Baselining security is a great way to implement a foundational set of controls that aligns with the sensitivity of your data. Standards and frameworks such as the Cyber Essentials scheme, ISO 27002, NIS Cyber Security Framework, UK Government Minimum Cyber Security Standard and NIST 800-53B (Control Baselines for Information Systems and Organisations) apply best practice risk mitigation and this means they can be carried out without the need to conduct an initial risk assessment. Added to which, underwriter data suggests SMEs that are Cyber Essentials certified are 60 percent less likely to make a claim.

Yet, despite these advantages and the ubiquity of these standards, those choosing to adopt them remain in the minority. The Cyber Security Longitudinal Survey published earlier this year, found only 19 percent of businesses had adopted Cyber Essentials and only 15 percent were ISO 27001 compliant. Not baselining security can lead to the implementation of either too few or overly prescriptive controls which can result in negative impacts ranging from avoidable cyber-attacks to staff using workarounds which then introduce secondary risks. This means these businesses are much more exposed than they need be and the likelihood is that businesses will see their cybersecurity eroded still further due to shortages in the cybersecurity workforce.

Time for intervention

Recognising the importance of getting businesses onboard with these standards, the government has attempted to identify precisely why take-up has been so lacklustre. The Cyber Security Incentives and Regulations Call for Evidence and subsequent Review make for damning reading. It was found the current standards and frameworks were “unfit for purpose” because they were either too basic or too prescriptive while the “multiplicity of cyber risk management standards and frameworks results in confusion as to which is most appropriate for their particular organisational risk posture”. The conclusion drawn was that clarity was needed and the government would need to be more interventionalist as there had been insufficient drive in the market to create improvements in organisational cyber risk management.

Consequently, the National Cyber Security Centre (NCSC) overhauled the Cyber Essentials scheme this year, introducing five major changes. These ranged from the shared responsibility model for cloud security, to guidance on home working, multi-factor authentication, and what should be regarded as ‘in scope’ when implementing the standard (hint: all end user devices). Further clarity was also provided on BYOD, legacy software, and the security patching window.

These changes saw Cyber Essentials certifications rise 16 percent during the first half of the year. However, this still equates to only 100,000 accredited businesses out of the 1.4million companies with staff that are based in the UK. The prime reason for this is that reality is that most only implement such standards out of contractual obligations and its very much seen as a compliance task. This is a missed opportunity because such standards can be dovetailed to the data type, obligations, risk arena or risk appetite of the business to provide a recognised level of assurance to other parties that demonstrates the business is diligently managing its cyber risk.

Making risk relevant

So, what needs to happen for businesses to baseline their security effectively? It’s not just a matter of whether businesses are aware of these standards (the Cyber Aware campaign for Cyber Essentials has already got the message out) and it’s not that they’re not being observed (the failure rate for Cyber Essentials is very low at just 3.5 percent month-on-month as of October 2022). Rather, it’s a matter of making these standards relevant to the business with real gains.

The review claims there need to be more incentives to drive adoption. These include cost:benefit analysis to so that the impacts and costs of failing to mitigate risks can be gauged. Many underestimate the true costs of breaches and so under invest in cybersecurity or struggle to build the business case. To counter this, we can expect more transparent reporting on breaches and impacts from the DCMS.

Steps will also be taken to elevate the status and input of ‘Market Risk Managers’ such as insurers and procurement managers who have a limited role today but the potential to influence investment in risk management. There will also be more emphasis on accountability, with larger businesses likely to mandated to assess and address cyber risk. Legislation, for now, will focus those deemed to offer critical digital services through the tightening of the Network and Information Systems Regulations.

To further boost adoption, there’s also a case for mandating Cyber Essentials through the use of tax rebates or providing incentives in the form of lower cyber risk insurance. So far the government has stopped short of taking this step but we could well see the cyber insurance sector offer lower premiums to certified companies.

The steps the government has taken in its intervention will see baselining become far more widespread, creating a minimum bar for security. But there’s also the potential for businesses to use that baseline more constructively.

Better use of the baseline

To start with, effective cyber security should be applied in such a way that it mitigates or successfully manages security events as they occur so that they do not seriously impact the organisations drive towards its strategic goals. For this to happen, it is critical that the organisation communicates its business strategy clearly in order that its cyber security

strategy can be aligned to support the strategic direction of the organisation. So there needs to be buy-in and steer from the top when implementing these standards.

When it comes to implementation, the organisation must maintain an understanding of the quantity, sensitivity and displacement of the information it uses as part of its day-to-day business. This information, regardless of whether it is in documentary, electronic or intrinsic form, will have risk appropriate controls applied and these should be assessed for effectiveness at regular intervals, either internally or through an external third party.

Data disposition and flows will need to be mapped and managed to ensure that information remains secure, intact and readily available to those with a proven need to know and is protected in all its forms whether at rest or in transit. All organisations are subject to forces which can shape the way information is used. So, any changes affecting how data is collected, processed, stored, shared or disposed of must involve risk assessment to ensure that any new risks are mitigated and redundant risks retired. Here, the baseline controls can be adjusted to meet the demands of the change in risk climate or business operations.

In many ways, the strength of these frameworks are in the fact that they provide a basic level of risk assurance but also their adaptability. Being able to map them to the business information assets, its processes and goals and being able to amend them as new challenges or opportunities arise ensures the baseline remains relevant. It can act as a foundation for on which to build upon with more sophisticated risk-based methodologies and management practices to create the “more mature level of organisational cyber resilience” that the review wants every business to work towards.