UK Government cyber plans - what do they mean for your business?
From scaled up DNS filtering to the new National Cyber Security Centre, the UK Government is taking a broad set of steps to aid enterprise security - but how effective will they prove without business buy-in? We take a look at the key defences any enterprise can take to defend itself, whether UK based or not..
It’s been a busy few weeks of cyber-security activity for the UK government, not only launching the all-new National Cyber Security Centre (NCSC), but also highlighting a slew of other projects such as DNS filtering and anti DDoS measures. The entire gamut of measures are part of a wide-reaching ‘ambitious’ cyber security strategy which is set to be announced later in the year, but in the meantime we have the following hints:
The new NCSC is intended to provide a collaborative link between government and businesses. It will be physically based near Victoria Station, and will not only provide advice and best practice to businesses, such as the ‘10 steps graphic below’ but will also respond to cyber security incidents to “reduce the harm they cause to the UK” - which presumably will involve an active capacity as well as a theoretical one.
Ben Gummer, Minister for the Cabinet Office and Paymaster General, said: "Whilst retaining access to the world leading capabilities, partnerships and people of the intelligence community, this new centre will have an ‘open-door’ policy which will make it easier for businesses of all sizes to get the best support available for cyber issue."
So what will the NCSC be doing in detail? NCSC Chief Executive Ciaran Martin gave a few clues in a recent address at the Billington Cyber Security Summit in Washington DC. Unsurprisingly, they’re talking to telcos and ISPs: “We're currently working with the UK telecommunications industry to stop the well-known abuse of the BGP and SS7 protocols to reroute traffic. If we’re right, this will mean it’s much much more difficult for UK machines to participate in a DDOS attack. And if we’re right then everyone else can do it.”
So far so good, although other elements of the strategy might prove more controversial, as Martin continued: “We're exploring a flagship project on scaling up DNS filtering: what better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses? Now it's crucial that all of these economy-wide initiatives are private sector led. Any DNS filtering would have to be opt out based.”
No specific timing has been given for the unveiling of the new cyber strategy, but it’s a fair bet that some of the research being undertaken by the UK Government - such as this enterprise breach survey will feed into it. In the meantime, it’s probably wise that businesses take some basic cybersecurity management precautions off their own backs, such as those recommended by Ilia Kolochenko, CEO of High-Tech Bridge for CSO Online readers recently.
Kolochenko said: “Cybersecurity management is not rocket science, but it does require an organized approach. It’s great to see NCSC finally up and running, as the educational aspect of the security puzzle is extremely important. However, no matter how good the advice may be, the implementation of it will be down to individual businesses, and it’s here that varying interpretation can cause problems. For the best security stance, keep it clear, and keep it simple.”
Firstly, conduct a comprehensive inventory of your digital assets, including data, users, software and hardware so that secondly you have the materials to feed into a holistic risk assessment. You need to identify and prioritize all the risks applicable to your organization, your business processes and your people. Then before signing any cybersecrity agreements to mitigate those risks, conduce a full RFP process as detailed here. Finally, evaluate and continuously monitor your security solution and performance.
Clarity and simplicity is key to success in cybersecurity, whether you’re an SME, enterprise or even the UK government...