The UK Government 2022 cyber security incentives and regulation review policy has just been published.
It is a comprehensive policy document and it can be found here -
Below we have summarised some of the key points.
The Ministerial Forward is by Julia Lopez MP, Minister of State for Media, Data, and Digital Infrastructure.
The ministers points out that while the digital age is making the world more interconnected than ever before and is driving extraordinary opportunity, innovation and progress so too is the opportunity for malicious actors to exploit vulnerabilities in IT systems.
The minister goes on to point out that according to the Cyber Security Breaches Survey 2021, two in five businesses (39%) report having experienced cyber security breaches or attacks in the last 12 months. In addition, around a quarter of the incidents the NCSC responded to in 2020 related to coronavirus.
The minister states that protecting the public, UK businesses, organisations, and critical infrastructure, will always be the highest priority of this government.
The Executive Summary of the report points out that the cyber threat is significant and growing, yet cyber attacks are not always sophisticated. Attacks frequently succeed as a result of poor cyber hygiene and the exploitation of known vulnerabilities. For every highly sophisticated hostile state attack there are hundreds of low-level phishing, denial of service, and ransomware attacks.
Raising cyber resilience across the economy and society, even if it is just the basics of ensuring good cyber security practices are implemented consistently, is the first line of defence against cyber attacks. The government recognises this is a complex challenge that needs the involvement of businesses, organisations and the public if the UK is to succeed in becoming more cyber resilient.
The report goes on to explain that the National Cyber Security Centre (NCSC) reported a significant rise in ransomware attacks on the UK in 2020, including an attack against Redcar and Cleveland Borough Council which cost the Council an estimated £10.4 million.
Threats are adapting in a fast-paced cyber environment, and so cyber security plans must be designed with the ability to evolve through periods of change. ‘Cyber resilience’ - the ability for organisations to prepare for, respond to, and recover from cyber attacks and security breaches - is key to operational resilience and continuity, as well as the growth and flourishing of the whole UK economy as we adapt to the demands of operating online.
The Cyber Security Breaches Survey 2021 showed that 39% of businesses and 26% of charities identified that they had experienced at least one breach or attack in the last 12 months. Among those that identified breaches or attacks, one in five (21% and 18% respectively) lost money, data or other assets. One third of businesses (35%) and four in ten charities (40%) reported being negatively impacted regardless of whether they experienced a material outcome, for example because they required new post-breach measures, had staff time diverted or suffered wider business disruption.
As the government’s centre for technical expertise in cyber security, the NCSC has now created a wide range of tailored guidance for audiences across the economy and society, including the citizen. Entry-level guidance and schemes for small businesses help protect against the vast mass of low-sophistication, untargeted cyber attacks. This includes the Cyber Essentials Readiness Toolkit and advice delivered via Cyber Aware.
For larger organisations, there is a wider suite of advice to support the required spectrum of cyber risk management activities. This includes comprehensive strategies and frameworks to help firms understand the range of action they need to take, such as the 10 Steps to Cyber Security, which go beyond technical measures to include governance processes and organisational culture. A board toolkit shows how senior managers can drive cyber resilience improvements, whilst online training and incident exercising are also freely available from the NCSC.
Government currently provides a number of products that enable organisations to become confident that they are protected and insured against a range of common cyber attacks, most notably Cyber Essentials and Cyber Essentials Plus.
The Cyber Essentials scheme seeks to help organisations, regardless of size, improve their cyber resilience and protect themselves against the most common internet-based threats by setting out five basic technical controls, which can either be independently audited or tested through Cyber Essentials PLUS.
In Conclusion the report states that the internet, and the digital economy and communications that have been built on it, have helped deliver huge benefits to the UK and the UK’s economy. However, attempts to exploit its weaknesses continue to increase and evolve. Malicious actors, both criminal and state-run, continue to actively look to exploit vulnerabilities in the UK’s cyber defences. The risk of deliberate or accidental cyber incidents is heightened by the increasingly interconnected nature of networks, systems and devices in use by organisations and individuals and the increased use of digital services.
This threat cannot be eliminated completely since digital technology is necessarily open, and openness brings exposure to risk. However, the risk can be greatly reduced to a level that allows society to continue to prosper, and benefit from the huge opportunities that digital technology brings.
The key outcomes the government seeks to achieve, and how they fit into the National Cyber Strategy, are as follows:
- Better awareness and understanding of why Government messaging is not having the impact it needs:
- More resilient organisations in the UK through increased uptake of the Cyber Essentials scheme:
- Improved resilience within essential services and digital services:
- Greater accountability for cyber security in business:
- Clarity for the cyber security profession:
Flex IT Solutions protect business information from damage or loss by implementing smart IT solutions combined with quality support.
Our security assessment framework is based on National Cyber Security Centre’s Small Business Guide and 10 Steps to Cyber Security, combined with best practices from the IT industry and Cyber Essentials.
Following a thorough assessment, we will report security strengths and vulnerabilities. Our recommended actions are presented with ‘traffic light’ indicators, so you are clear about security priorities.
With this insight, you can make informed decisions about enhancing the security of your IT infrastructure. Your actions will depend on your risk appetite. What impact would the loss or damage of data and IT systems have on your productivity, business reputation and profits?
If you are in any doubt about your business security resilience we can help so contact us now.
Our services, manifesto and details about IT security assessments can be found at www.flex.co.uk or contact Jamie Read or Geoff Parkins at Flex IT Solutions on 0333 101 7300.