UK cyber security guidelines lack clarity, says IET

The Institution of Engineering and Technology (IET) calls on government to clarify what cyber security advice UK firms should follow

The Institution of Engineering and Technology (IET) has called for greater clarity from the government about what cyber security advice it wants UK businesses to follow.

The UK government’s newly published Cyber Security Implementation Profile is intended to define minimum cyber hygiene for UK businesses.

But the IET said government has previously endorsed the Top 20 Critical Security Controls, published by the Council on Cyber Security; and its own 10 Steps to cyber security: an executive companion.

“Having three separate sets of guidelines on cyber security, endorsing 20, 10 and 5 controls respectively, is very confusing,” said Hugh Boyes, IET cyber security lead.

“UK businesses are unlikely to understand which are the definitive guidelines and, worse still, there is a real danger they will ignore the advice altogether, simply because there is no clear message about which guidelines are most applicable to them.”

Boyes called on the government to issue clear guidance on when each of the three sets of guidelines is the most applicable.

“Even better would be if the government led from the front by auditing its own services against these latest guidelines, and then declared the results publicly as a matter of urgency,” he said.

Five basic controls

The Cyber Security Implementation Profile covers five basic controls that businesses need to consider:

  1. Secure configuration
  2. Access control
  3. Malware protection
  4. Patch management
  5. Firewalls and internet gateways


Read more on Hackers and cybercrime prevention