Monday, 16 December 2013

Cyber security vetting scheme is right move by government, but SMEs need more attention

A padlock on a hard drive representing cyber security
The security industry has welcomed the UK government's latest plans to establish a new Cyber Security Suppliers' (CSS) scheme, to attempt to boost the UK's annual cyber security exports past £2bn in the next three years. However, a lack of attention paid to SMEs may cause problems for the economy in the coming year.

The plans were outlined by Francis Maude on Thursday on the two-year anniversary of the launch of the Cabinet Office's £850m Cyber Security Strategy. They will see workers on projects involving securing UK government networks stringently tested and accredited by the Institute of Information Security Professionals (IISP), the Council for Registered Ethical Security Testers (CREST) and Royal Holloway University's Information Security Group (ISG).
Furthermore, businesses that have supplied government departments with security products would now be able to publicly state that they have done so, with the hope of allowing innovative businesses to show off their successes and gain more lucrative contracts as a result.
Malcolm Marshall, head of cyber security at KPMG, said more rigorous accreditation would benefit the UK's cyber defences, but with the caveat that "board-level debate" would be required in order to properly understand the threats posed to UK companies.
"It's fair to say that organisational cyber security standards are keenly awaited by the security community and by business at large, but to work effectively they must be pragmatic and recognise the challenges of smaller firms trying to raise their cyber security game," Marshall said, adding that the UK would have to ensure it does not become out of kilter with the international security debate.
"It is also worth reminding ourselves that commerce in cyberspace is global, and that any UK standard must build on recognised international approaches, with a weather eye on US initiatives. We need to resist the temptation of the UK ploughing its own furrow."

The government's Cyber Security Information Sharing Partnership (CISP), which sees UK businesses pooling security intelligence into a so-called 'Fusion Cell' so firms can collaborate on solving pressing security issues and vulnerabilities, will also expand. In the coming year, the scheme will double in size, with 500 firms set to be granted access to the scheme.
BAE Systems Detica managing director Martin Sutherland said CISP's expansion made the UK a mighty force in the battle against cyber threats. "Traditionally, governments and industry have taken a largely sectoral approach; where the UK's CISP is unique is that it is a world-leading cross-sector initiative and exploits the commonalities between different sectors to share knowledge and raise threat intelligence maturity," he said.
"Consequently, it allows a wider range of companies to benefit from the cyber knowledge it shares. A clear message is being sent that information sharing with industry is a key priority for UK government."
However, concerns remain about CISP's lack of support for SMEs, with Symantec's senior director of government relations, Ilias Chantzos, highlighting a continuing lack of understanding among smaller firms of the risks they face. "SMEs frequently do not have the resources or knowledge of how to protect themselves from today's evolving and relentless threats," Chantzos said, citing a Symantec study that found SMEs were the target of 31 percent of cyber attacks.
"No one person, body or organisation can address this challenge alone; public-private partnerships continue to play a crucial role."
Cyber security is often neglected by even the UK's largest businesses. A study of the UK's FTSE 350 found that only 14 percent of firms were regularly considering cyber security threats, something the government is looking to improve in the next year.

No comments:

Post a Comment