2015 was the year in which Minister for the Cabinet Office Matthew Hancock described cyber attacks on government systems as “constant and relentless”. Speaking at IA15 in November, it emerged that an average of 33,000 malicious emails were being blocked at the gateway every month. If ever there was evidence that government systems are just as under threat as those in commercial organisations – this was it.
2016 will bring big changes that affect how the supply chain prepares itself for doing business with government. What’s more, government is moving towards a more shared digital cloud platform.
In this climate of on-going threat and change, we look ahead at what might happen – raising some of the cyber security issues on the horizon for government and the supply chain.
The number of MOD suppliers are dramatically cut due to their inability to meet the basic information security requirements of the Cyber Security Model
The Defence Cyber Protection Partnership (DCPP) is expected to launch the new Cyber Security Model (CSM) in August. It will apply to all new defence contracts from Q2 onwards. While the CSM has its own three-stage process , the pre-requisite from January 1st is that suppliers have at least Cyber Essentials in place where there is an exchange of MOD information.
Like other security standards, the CSM will need to be understood, interpreted and implemented. Failure to do this and meet its minimum standards could see MOD suppliers barred from contract opportunities. An explanation of Cyber Essentials and how to gain certification can be found here . Suppliers wanting a process to build cyber security into every stage of their projects might also find Ascentor’s IA Inside approach of interest.
The drive to reduce costs through shared services such as Government-as-a Platformbrings heightened security risks
In the words of gov.uk, Government as a Platform (GaaP) is a new vision for digital government – a common core infrastructure of shared digital systems, technology and processes on which it is easy to build brilliant, user-centric government services.
This new platform approach will bring cost savings across departments by maximising shared capabilities – but it will require greater co-ordination between government departments that have historically existed in silos with their own bespoke systems.
This all sounds like good news, but it comes with risks attached. Working collaboratively in the cloud will no doubt improve the security of the core services, but departments will still have responsibility for their own data and how it is accessed by their staff. A policy on BYOD is a must, as is security awareness training if breaches are to be avoided.
The uptake of CESG Cyber Security Consultancy is not as strong as predicted/hoped due to lack of perceived benefits for providers and customers
In June 2015, CESG announced the launch of its Certified Cyber Security Consultancy . Delivered by industry companies and evaluated by CESG, the new model has been established to provide a pool of trusted consultancy services to meet what CESG describes as a growing demand for high quality, tailored, expert advice. Inevitably, this will come at a cost as security consultancies introduce new management methods and reporting processes.
The question is whether this will impact on the cost of the service to end customers and whether this is seen as a worthwhile investment given that the skills of the actual consultants are the same as those in the rest of the government security space, namely CESG Certified Professionals.
A major data breach demands review of the government classification scheme – especially regarding information-marking and user responsibility
There are still some government organisations whispering about the need for another level to be added to the current classification scheme . Placing the onus on all personnel for good security practices when handling any government information makes sense, but users are only human and accidents will happen – especially when the golden rules of information handling have become more like tribal customs.
If past incidents are any indicator of the future, the next major information security breach is just around the corner. Trying to lay the blame at the feet of untrained personnel who wouldn’t know sensitive information if it got up and bit them will not cut the mustard. Departments must ensure that they have clear policies in place that explain what constitutes sensitive information and how they expect staff to handle it. Staff should then receive regular training that includes examples relating to their own business.
The year of the cyber insurer
Cyber insurance may still be in its infancy but it is developing fast. As more and more attacks are successful and result inpunitive damages, insurance companies are building their customer base and risk analysis frameworks. They will be able to offer real benefits in terms of mitigating impacts and reducing overall costs of an attack. There will however be a price to pay.
Insurance companies will be looking to scale premiums based on an organisation’s security profile. Certification against a standard will no doubt reduce premiums but will also have the benefit of reducing the chance of an attack succeeding in the first place.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
If you’d like to discuss how ourconsultants could advise on any aspect of Cyber Security and Information Assurance, please contact Dave Jamesat Ascentor.
Email: [email protected]
Office: 01452 881712