Security accreditation schemes are not bad things, neither are they a silver bullet against falling victim to the bad guys
It has been reported NHS Digital is opposing the post-WannaCry recommendation of a minimum-security standards bar in the form of mandatory compliance with Cyber Essentials Plus (CE+) standard by June 2021. It seems documents refer to a presentation at an NHS Digital cybersecurity committee meeting in which it was estimated the cost of compliance would be anywhere between £800 million and £1 billion. According to HSJ, a document reveals NHS Digital took the position that ensuring all providers get the CE+ accreditation, while useful as a benchmark, would not be value for money. Yet the same document is said to also raise concerns over the ability of organisations within the NHS to adequately respond to any new major cyberattack. Given that cyberattacks on the NHS have, by all accounts, not stopped or even slowed since WannaCry, this stance could be viewed as particularly worrying at first glance.
