The UK Government’s Cyber Security Strategy landed in November 2011 and the message to Government suppliers is crystal clear – the cyber security standard has just got higher and we all need to raise our game.
“We are also raising the standard of cyber security we expect from suppliers of sensitive defence equipment.” UK Cyber Security Strategy 2011
The Government’s vision for 2015 is to have a vibrant, resilient and secure cyberspace to enhance prosperity, national security and a strong society. This means setting an example by adopting best practice on cyber security in their own systems and setting strong standards for suppliers to Government to ensure the bar is raised.
What can Government suppliers expect?
- Requirements in government contracts are likely to stipulate cyber security standards much as they do for physical security today.
- Emphasis is likely to move away from in-depth technical controls to one of a risk managed approach that raises awareness of the threat to reputation, revenues and intellectual property.
- Government will work with the insurance market to ensure that cyber security is effectively managed as a business risk.
“We know that companies are struggling to quantify the cyber risks that they face and the insurance industry can play a key role in helping to price this risk accurately.” Mark Fishleigh – Head of Insurance at BAE Systems Detica
Six ways to prepare
Change is on the way and Government suppliers need to be prepared to raise their standards this year. Here are six things to focus on to enhance your company’s information security and meet the Government’s high standard.
1. Get involved. The strategy makes it clear that the Government will work with industry to bolster cyber security but does not mention how. Ascentor will continue to monitor and provide advice and guidance through our blog updates and newsletters: Sign up for our Information Risk Management updates
2. Adopt a risk-managed approach. There is no such thing as absolute security.
- Start to identify the important assets both to your own business and any assets you hold on behalf of your customers especially in government contracts.
- Evaluate the risks.
- Plan mitigation activities.
- Manage the risks and ensure the board accepts the residual risks. See Ascentor’s Board Guide to Information Risk . for useful information.
3. Start doing the basics properly .
- Review AV policies and compliance
- Review patching policies and compliance. Are updates happening in a timely manner? Are they being effectively tested before being applied? Are backups of critical data taken before they are applied?
- Review the security functionality of key produces such as firewalls. Are they operating as expected? How do you know?
- Read our post on 5 basic security controls .
GCHQ estimates that 80% or more of currently successful attacks are defeatable by simple best practice.
4. Start an awareness programme – ensure employees understand the risk to the business from Cyberspace and the role they can play in keeping the business safe.
5. Review physical security requirements in contracts and make sure you are compliant.
6. Review contracts with any third party suppliers to ensure they are not exposing you to unacceptable risk.
Grasp the opportunity with Information Risk Management
Government is going to get stricter with information held by third parties. More emphasis will be applied to the importance of Information Risk Management at Board level and it’s likely that there will be tighter inspection regimes to ensure compliance.
Ascentor recommends all Government Suppliers think seriously about how they protect and control access to the information they host on behalf of Government departments. Effective Information Risk Management processes and procedures will strengthen your business and open up new Government opportunities.
Article by Paddy Keating ,Director of Ascentor and Information Risk Management consultant.