The UK government has launched a new cybersecurity standard designed to set a baseline of mandatory security outcomes for all departments. The Minimum Cyber Security Standard announced this week presents a minimum set of measures which all government departments will need to follow, although the hope is that they will look to exceed these at all times. IT security experts commented below.
Javvad Malik, Security Advocate at AlienVault:
“Unfortunately, many government departments lack the funding or expertise to implement even a baseline set of security controls. With that in mind, this minimum cybersecurity standard is a positive move that will hopefully raise the bar consistently across government departments and organisations.
While ideal, it is probably not feasible to force this across all organisations outside of government bodies, but it could be used as a baseline for third parties wanting to do business with government departments.
A good next step would be to extend the scope of minimum cybersecurity standards to apply to vendors, particularly IoT or smart device manufacturers.”
Martin Jartelius, CSO at Outpost24:
“This is a great step and a positive change. We have regulations for health and safety at work, and the financial industry is littered with rules and regulations for the protection of customer data. Soft regulations, including the GDPR, work in a similar fashion to put some degree of basic controls in place.
IT is a crucial part of any business so by defining and setting a baseline or best practices via regulatory control, it sends a strong signal and prompts businesses to improve their security awareness.
The success or failure of this mandate will depend on the implementation. The danger is whether this becomes another compliance ‘checkbox’, where the regulation does set a clear baseline or bare minimum requirement, resulting in organizations doing as little as possible to be compliant, rather than to become secure.”
Andy Norton, Director of Threat Intelligence at Lastline:
“The new standard misses the mark in some regards the requirements for detection and response are focussed only on “common” threats. It is expected that common threats will not pose a risk. To government departments, it is the advanced threats that pose is risk to governments and the mandate outlined in the new standard does nothing to raise the bar within government networks to detect and respond to advanced threats.”