The same old attacks will continue to happen with monotonous frequency and organisations that don’t concentrate on even the basics will continue to fall victim. It is worth pointing out early that just getting the basics right will stop the majority of attacks and help you avoid large fines for non-compliance. If the only thing you do this year is tighten up on the basics, you’ve done well! (CESG’s advice is a good starting point – Ten Steps to Cyber Security .)
Outside of this, there are some BIG things happening this year, especially in the Government cyber arena. Here are our predictions.
The worm turns in 2013?
The UK Government has made it plain in its Cyber Security Strategy (see – What Every Government Supplier Needs to Know about the UK Cyber Security Strategy ) that they are intent on fighting back. No warfare can be conducted by defence alone and it is high time some teeth are shown.
2013 should see the start of cyber exploitation whereby Government takes some brave decisions to go after the bad guys with more than just physical means. We have the technology to seek and destroy those intent on doing the UK harm – all in the cyber world. Do we have the political will to do it and standby the consequences? We wait and see.
PSN and G-Cloud
As part of the initiative to make the UK a safer place to do business, the Government has looked in the mirror and recognised it also needs to be better at providing safe on-line services. The PSN and G-Cloud will continue to expand in 2013 and provide some real cyber benefits.
G-Cloud especially will bring about changes to the way we perceive information security. If we can no longer put physical security controls around our information and no longer know where it is, how do we protect it? The G-Cloud mantra of ‘do security once, do it right and re-use it‘ will not only make information security more efficient but also address some of the key risks with using cloud services. This will benefit everyone and lead to greater understanding of what can and can’t be achieved in the cloud.
See the Ascentor blogs on the PSN and G-Cloud for further information.
Has the emperor really got new clothes? The Government’s new classification policy
The Government has made it clear that they intend to move to a new information classification policy. Draft documents have been produced that provide an overview of the new scheme and the intention is to publish and go live in Spring 2013.
The old 6-level model of UNCLASSIFIED, PROTECT, RESTRICTED, CONFIDENTIAL, SECRET and TOP SECRET, is changing to just 3 levels. The top levels are unlikely to change much but the intention is to make the lower level more appropriate to Government business and public services. The whole concept is puzzling security practitioners never mind anyone else. Is this a case of the emperor’s new clothes? And what impact is this likely to have on enterprise risk management?
Just a few observations:
- Most of the CESG Good Practice Guides (GPG) will need to be amended. The recently revamped IAS1/2 – Information Risk Management will have to go back to the drawing board!
- The mapping of Protective Marking (PM) to Business Impact Levels (BIL) will mean Information Asset Owners (IAO) will need to reassess all their current information assets – no easy task!
- BILs will need to be rethought.
- Confusion will reign whilst the two systems run side by side. It will be a long time before the old markings are no longer used.
- There will be a cost involved for changing current schemes to the new one.
On the plus side, the new tiers should help with things like Cloud implementation, mobile and remote working. In addition, the aim of making everyone personally responsible for the information they access has to be a step in the right direction but how this is achieved has yet to become clear.
Keep an eye on the Ascentor website for more blogs on the new classification policy over the coming months. We will endeavour to clarify it when we actually understand it!
Passwords – a Thing of the Past?
We all struggle with passwords. Weak ones, strong ones, long ones, complicated ones, call them what you like, the point is we all have too many, keep forgetting them and so reuse the ones we can remember, which, unfortunately are probably the easiest ones for bad guys to guess. Will 2013 start to address the problem by getting coming up with a novel and effective alternative?
Yubikey is just one such potential solution which Google is currently trialling (@Jan 13). If Google starts pushing a solution will we follow? There’s certainly the demand!
If you’re having trouble with passwords take a look at the Ascentor guidance on creating strong passwords.
The Year of IRM?
Is this the year when Information Risk Management (IRM) takes off? If the UK Cyber Security Strategy is to work, all parties must take the threat seriously. Government cannot do it without the support of UK businesses as this would be akin to bolting the doors and leaving the windows wide open. The Government has committed over £650m to tackle the cyber threat and has started the process of improving its own risk management processes. It is expecting industry to do the same. Adopting an Information Risk Management strategy that identifies how risks are identified, evaluated and controlled is becoming a critical business process and will continue to grow in importance as the UK Government seeks to establish the objectives of its cyber security strategy.
To read more on IRM, take a look at Ascentor’s blog archive on the topic. You will find some useful tips of the trade. Contact Dave James directly if you’d like to arrange a free 2 hour consultation within one of Ascentor’s IRM specialists.
This is our view here at Ascentor. How about you? We’d be fascinated to hear your thoughts and predictions for the coming year.
Article by Paddy Keating ,Director/Government Service Manager at Ascentor.
Other articles you might like:
- Protect your systems with 7 basic security controls
- Why information security will rocket to the top of your to do list this year