Business organisations, including the Institute of Directors (IoD) and the Federation of Small Businesses (FSB) are warning that firms need to actively manage their information risk in order to avoid the growing threat of cyber crime. For any business that is handling government information, there are important steps that must be taken â€” as well as the prospect of new guidelines this Autumn.
Is your firm in the HMG supply chain?
If your company supplies goods and services directly to the government (HMG) then you are undoubtedly already aware of the growing importance of protecting government information in the face of increasing risks. Your company, or parts of it, may be authorised to hold Protectively Marked client information. So you will know all about the need to demonstrate compliance with HMG Information Assurance (IA) standards and the need for an effective regime for managing information risk.
But what about the other companies that supply HMG organisations â€” either directly or indirectly â€” and who hold their client’s data? Many firms are a part of the government supply chain even if they are not long-standing HMG suppliers. If you are handling HMG information and don’t know what HMG IA standards are, or are not sure whether they apply to you or not, then this blog is for you.
How does this affect your firm?
HMG organisations are subject to the government Security Policy Framework (SPF) . Mandatory requirement number 5 of the SPF states that an effective system must be in place to ensure that: “security arrangements are fit for purpose, that information risks are appropriately managed, and that any significant control weaknesses are explicitly acknowledged and regularly reviewed”. This applies to the organisation, its delivery partners and its supply chain.
Delivery partner and supply chain organisation security has been a real thorn in the side of HMG organisations which have been trying to figure out how best to meet this requirement. To address this, the Home Office operates the HADRIANprocess of IA assessment of its supply chain companies. More recently the MoD has been developing a framework for IA assessment through the Defence Cyber Protection Partnership (DCPP) which: “seeks to implement controls to increase supply chain security as quickly as possible“. The framework is to be agreed by September 2013 and then once that is achieved: “DCPP members will begin work on extending the controls throughout their supply chains including to small and medium sized enterprises“. (You can find out more in this gov.uk article – Defence Partnership Tackles Cyber Security Risks ).
In addition, government has engaged with the Intellect group to gain industry input on a cyber security standard by October 2013. Once that has been agreed it is likely that this will be put to industry as best practice for information risk management. So, either via schemes such as HADRIAN, DCPP or other regimes, the requirement for supply chain companies to demonstrate their IA maturity is set to increase.
How big is the threat of cyber crime?
Many companies are already realising the need to improve their information risk management processes to counter the cyber threat. The recent paper from the Director of GCHQ for the Institute of Directors, Countering the Cyber Threat to Businessidentified the risks to commercial companies and advocated following 10 steps to manage information risks .
“Cyber security is a corporate-level risk that all boards, in both the private and public sectors, need to own directly. The cyber threat applies to all, regardless of size or location”.
A report from the Federation for Small Businesses in May 2013identified the £785 million cost of cyber crime to UK industry and also advocated the same 10 basic security steps.
So, if you supply goods and services to HMG organisations, either directly or indirectly, you should consider reviewing what HMG information assets you are responsible for, and how you are protecting them in line with current standards such as ISO27001 or any possible future HMG standards that may be imposed. And you must be prepared to demonstrate that to clients.
Your next steps to managing risk
You need to know what information assets you have that need protecting and then implement effective information risk management. As a result, your business will be able to take advantage of commercial opportunities by making informed risk management decisions. Critically, by managing risk proactively you will also inspire the confidence of clients and partners, demonstrating that you can protect their information as well as your own.
Follow these four steps:
- Improve your information risk management by gaining certification to ISO2700.
- Take our online risk assessment to see if you are on the track towards IA maturity.
- Read our Board’s Guide to Information Risk Management .
- Contact an experienced IA company like Ascentor to conduct an IA gap analysis .
Article by Steve Maddison , Director and Principal Consultant at Ascentor.