The government will launch a guidance and certification scheme in June to help UK businesses get the basics of cyber security right.
Government analysis of continuing attacks and feedback from industry vulnerability testers has identified that a number of security controls are still not being applied.
“The Cyber Essentials Scheme (CES), aimed at raising the bar, which we assess to be pretty low,” said Giles Smith, deputy director, cyber security at the Department for Business Innovation and Skills (BIS).
The scheme is set to be launched on 5 June, he told a seminar on cyber risks and opportunities hosted by law firm Sidley Austin and the Association of British Insurers in London.
“The role of BIS within the national cyber security strategy is to enable growth by helping UK businesses to operate safely in cyberspace,” said Smith.
To do this, he said, businesses need to embed cyber security in corporate governance processes, treating it like any other business risk, and establish confidence that the basic controls are in place.
This is the aim of the CES, developed with the Information Assurance for Small and Medium Enterprises (IASME) consortium, the Information Security Forum (ISF) and the British Standards Institution (BSI).
The CES identifies five essential security controls that organisations must have within their IT systems to ensure they are beginning to mitigate the risk from internet-based threats.
Read more on UK cyber security
- Government promotes cyber security profession in schools
- UK cyber security progress welcomed
- Cyber security is economic opportunity for the UK, says government
- UK finally launches national cyber emergency team
- Government lays out 2014 cyber security agenda
- Government expands private sector cyber security partnerships in NCSS drive
- UK to help lead world fight against cyber crime
- Cyber security quest strong in UK, says Isaca
“This shows what good security looks like and is a cost-effective way for all UK businesses to get on the journey to maturity in cyber security by doing all the basic things correctly,” said Smith.
“Just by establishing a basic level of cyber hygiene through implementing the basic controls will solve a lot of problems and protect against most low-level threats,” he said.
The CES will also offer a way to win customer confidence and competitive advantage by certifying the level of an organisation’s compliance with the five controls set out in the guidance.
The scheme follows on from the government’s 2012 publication of its 10 Steps to Cyber Security guidance that is aimed at encouraging organisations to consider if they are managing their cyber risks.
The Cyber Essentials Scheme provides guidance on:
- Secure configuration
- Access control
- Malware protection
- Patch management
- Firewalls and internet gateways
The guidance raises the need for company Boards and senior executives to take ownership of these risks and enshrine them within their overall corporate risk management regime.
The government views the adoption of an organisational standard for cyber security as the next stage on from the 10 Steps to Cyber Security guidance.
Smith said government plans to implement the CES throughout the public sector and in the longer term embed it procurement processes wherever possible.
He said government was also determined to drive adoption of the CES in the private sector, adding that it could be a "powerful tool” from a cyber insurance perspective.
Smith said government is engaged in a number of bilateral discussions with insurance companies, but is looking to the industry to find a more sustainable means of interaction.
“Both the public and private sectors need to raise their cyber security game to enable them to seize the opportunities presented by the digital world.
“The UK cyber security strategy is as much about growth as it is about risks,” he said.