Mind the Security Gap : Evaluating the Effectiveness of the UK Cyber Essentials Scheme and its Suitability for Large Enterprises

Cooper, Andrew and Thomas, Daniel (2023) Mind the Security Gap : Evaluating the Effectiveness of the UK Cyber Essentials Scheme and its Suitability for Large Enterprises. Masters thesis, Computer And Information Sciences.

[thumbnail of Cooper-CIS-2023-Mind-the-security-gap-evaluating-the-effectiveness-of-the-UK]
Text. Filename: Cooper-CIS-2023-Mind-the-security-gap-evaluating-the-effectiveness-of-the-UK.pdf
Final Published Version
License: Strathprints license 1.0

Download (1MB)| Preview


The Cyber Essentials scheme was launched in 2014 to help businesses in the UK demonstrate they had effective basic security controls in place. Later that year it was made a mandatory requirement by Crown Commercial Service for certain central government contracts and it is used today as an independent measure of assurance by public bodies such as the Ministry of Defence and the Scottish Government. Despite this, there have been high-profile compromises at UK organisations that held Cyber Essentials at the time of their attack. The aim of this research is to discover what could allow a low-level internet threat to bypass the Cyber Essentials controls which, after all, are designed to prevent such an attack from occurring. Is it the controls themselves, the requirements, scoping issues or the audit? The aim of Cyber Essentials is to be a universal scheme, regardless of size. Despite this there have been criticisms of scaling issues which have been dismissed in blog posts by NCSC. The main theme of the research was therefore to look at whether there is something to this – does the scheme have fundamental issues when applied at scale which could allow a low-skill attack to occur? And since large public sector bodies are mandating this from suppliers and organisations they do business with, are there issues with using it as an independent measure of assurance? A survey of large organisations was carried out to gather views on the pros and cons of the scheme and to help identify any issues they have with scale or assurance. These findings were then used to inform a literature review of the scheme documentation. This featured a methodical examination of every question related to scope and the security controls in Cyber Essentials, and an examination of each test in Cyber Essentials Plus. To provide further context an interview with a former Cyber Essentials assessor was carried out which helped identify further issues in the assurance process. The research found that neither Cyber Essentials nor Cyber Essentials Plus could be used as an independent measure of assurance and that both had issues when applied at scale. 17 recommendations have been made which, if implemented, would dramatically improve the scalability of the scheme and the assurance it offers. Despite these recommendations future work should be carried out to consider whether the scheme actually addresses modern low-skill cyber threats.