Raising UK Cyber Security Standards

HM Government logo 20140218

Basic Cyber Hygiene Profile discussed in public at ISO27001 User Group, BSI Headquarters (14th February, 2014).

The UK Government’s ‘Basic Cyber Hygiene’ Profile is out in draft (v0.12) is circulating.

What is it?

In the words of the department for Business, Innovation & Skills (BIS), the Basic Cyber Hygiene Implementation Profile (a 16-page A4 document) is described as “…a key deliverable as part of the UK’s National Cyber Security Strategy / Cyber Programme”. It represents one of (potentially) several such profiles to help organisations manage the variety of business issues introduced by “the growing number of cyber threats”.

Who is this Cyber Security Profile for? And why should I/we be interested?

This implementation profile has been developed for all types and sizes of organisation, as they all need to protect themselves against low level cyber threats. Measures to address low level cyber threats described in this profile are considered to be the “absolute minimum” that any organisation connected to the Internet needs to have in place and sustain. It is therefore assumed (rightly, I judge) that this profile will be “…of interest and relevance to a broad range of individuals that have responsibility for protecting the organisation against low level cyber threats, including business owners, business executives, business managers, IT specialists and security practitioners”. But will it be widely adopted by smaller firms?

I asked the BIS to comment on this and other issues raised at the User Group, and their response below should be of interest to all UK businesses:

Q: What is the Cyber Hygiene Profile?

A: The Cyber Hygiene Implementation Profile is considered by HMG to “help businesses follow best practice in basic cyber hygiene and mitigate risks at the low-threat level”.

Q: Will HM Government specify the Profile in contractual relationships?

A: HMG will specify the Profile in contractual relationships with its suppliers where it is proportionate to do so, either in reference to best practice or as a requirement in terms of adequate cyber security best practice.  In addition, HMG is encouraging adoption amongst major market sectors, including within companies’ own supply chains.

Q: Will other implementation profiles follow – and who will they be for?

A: It is anticipated that this Implementation Profile will be one of a suite of publications developed for other scenarios which might include the use of cloud services, for example.

Q: When will the Basic Cyber Hygiene Profile be published?

A: The Cyber Hygiene Profile will be made available by the 31st of March, after which the Government will continue to engage with industry on further developments.

So, you have answers to some important questions, courtesy of the BIS!

How will the Basic Cyber Hygiene Profile work? – What does it consist of?

To make the advice relevant to different sizes of enterprise, BIS define three Categories which form a set of all organisations ranging from individual user or very small organisation (Category 1; 1 to 10 users) – what I would term a ‘microbusiness’ – through small organisations (Category 2; less than 250), to large/complex organisations (Category 3). Large enterprises of course represent the majority of the ISO27001 certificates issued on a global basis, although the trend may well be towards a larger number of SMEs adopting and certifying to the Standard.

SMEs are rarely ISO27001 registered; although it is fair to say in our experience, the ones that have gained a certificate are very proud of it and use it as evidence of their high standards of cyber/information security. But what of the others? Will this Cyber Hygiene Profile obviate the need to be ISO27001:2013 compliant when it comes to winning Government work?

Will the Implementation Profile approach work to address cyber security?

The Cyber Hygiene Profile is ‘Basic’ and to ignore these fundamental security activities would be frankly irresponsible – boarding on reckless.

While 80% of the threat to systems could be dealt with through good information assurance practice – such as keeping security “patches” up to date – the remaining 20% was more complex and cannot simply be solved by building “higher and higher” security walls (the first of the 5 ‘topics’ covered in the Profile). The head of GCHQ, Iain Lobban, said in a BBC News article on October 2010 that the country’s future economic prosperity rested on ensuring a defence against assaults to our critical infrastructure.

This definition includes national power grids and the emergency services that face in Sir Ian’s words a “real and credible” threat of cyber-attack. Critical infrastructure also includes sectors such as financial services, government, mass communication, health, transport, and food and water – all of which are deemed necessary for delivering services upon which daily life in the UK depends. A high proportion (most?) of these critical assets are in some way supplied by smaller enterprises, so the risk factor is there.

SMEs need better cyber security – but can they actually afford to improve?

Many SMEs are at risk because of uncertainty over their security and cyber-attack threats, according to a study published by the Ponemon Institute in November 2013. The Risk of an Uncertain Security Strategy study polled 2,000 SMEs globally, of which 58% of respondents said management does not see cyber-attacks as a significant risk to their business.

The same study found that some 44% reported IT security is not a priority, while 42% said their budget is not adequate for achieving an effective security posture and only 26% said their IT staff have sufficient expertise.

Will the new BIS Basic Cyber Hygiene Profile work for British Industry?

As the wise person said: ‘A journey of a thousand miles begins with a single step’. But it is just that. The Implementation Profile is ‘Basic’ in the extreme, intended only to provide a consistent approach to low level threats. And it’s worth reflecting that it isn’t just Government that wants better cyber security; many of the world’s leading enterprises and their Tier 1 suppliers are increasing nervous about dealing with SMEs that cannot demonstrate their compliance. Large enterprises don’t want to throw away years of costly investment in information security best practice by connecting their servers to organisations that have few/no IT policies, procedures and controls. Moreover, they have a global reputation to protect that is worth far more than supplier relationships with small firms.

Cyber Security is Global. The USA will soon be introducing a new Standard

In an article in InformationWeek Government, the US standard is seen as a must-have requirement: “Why Businesses Can’t Ignore US Cybersecurity Framework” by Wyatt Kash describes the Framework for Improving Critical Infrastructure Cybersecurity in the following terms:

“…the framework has cred, as its recommendations come not from Washington regulators, but from industry experts who’ve combatted cyberattacks. In pulling together the framework, the National Institute of Standards and Technology went to great lengths to collect, distill, and incorporate feedback from security professionals. More than 3,000 individuals and organizations contributed to the framework.”

One wonders how many UK organisations will have the opportunity to comment on the UK Government’s Implementation Profiles, starting with Basic Cyber Hygiene? More importantly, will there been a serious attempt to bring SME organisations into the process of defining what constitutes an acceptable minim standard?

Read our page on Cyber Health Checks – find out if you need to close gaps in your own cyber security to be compliant with the Cyber Hygiene Profile.

*  *  *  *

If you would like to find out more about ISO27001:2013 and how to set up and run an Information Security Management System (ISMS), talk to our consultants by calling: 0845 070 1750.

Bookmark this page as well!