The UK government has launched a new cybersecurity standard designed to set a baseline of mandatory security outcomes for all departments. The Minimum Cyber Security Standard announced this week presents a minimum set of measures which all government departments will need to follow, although the hope is that they will look to exceed these at all times. IT security experts commented below.
Javvad Malik, Security Advocate at AlienVault:
“Unfortunately, many government departments lack the funding or expertise to implement even a baseline set of security controls. With that in mind, this minimum cybersecurity standard is a positive move that will hopefully raise the bar consistently across government departments and organisations.
While ideal, it is probably not feasible to force this across all organisations outside of government bodies, but it could be used as a baseline for third parties wanting to do business with government departments.
A good next step would be to extend the scope of minimum cybersecurity standards to apply to vendors, particularly IoT or smart device manufacturers.”
“This is a great step and a positive change. We have regulations for health and safety at work, and the financial industry is littered with rules and regulations for the protection of customer data. Soft regulations, including the GDPR, work in a similar fashion to put some degree of basic controls in place.
IT is a crucial part of any business so by defining and setting a baseline or best practices via regulatory control, it sends a strong signal and prompts businesses to improve their security awareness.
The success or failure of this mandate will depend on the implementation. The danger is whether this becomes another compliance ‘checkbox’, where the regulation does set a clear baseline or bare minimum requirement, resulting in organizations doing as little as possible to be compliant, rather than to become secure.”
Andy Norton, Director of Threat Intelligence at Lastline:
“The new standard misses the mark in some regards the requirements for detection and response are focussed only on “common” threats. It is expected that common threats will not pose a risk. To government departments, it is the advanced threats that pose is risk to governments and the mandate outlined in the new standard does nothing to raise the bar within government networks to detect and respond to advanced threats.”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.