Improving basic cyber security – the government’s draft standard

The government intends to develop a ‘cyber hygiene profile’ (standard) to improve basic cyber security in organisations in any economic sector. The profile will:

• Offer clarity to businesses in what is a complex and confused standards landscape, by supporting technical controls that are accessible and fit-for-purpose;
• Help businesses follow best practice in basic cyber hygiene and mitigate cyber risks at the low-threat level e.g. hacking and phishing;
• Offer a voluntary alternative to a legislative approach;
• Enable businesses that are cyber secure to differentiate themselves in the marketplace;
• Answer the ‘how’ question: existing standards often do not explain how a company should implement a security measure or what ‘good’ looks like.

The draft cyber hygiene profile – tackling basic threats

On 25 February, the first draft of the profile was published for comment.

It covers specific technical controls – i.e. it is about managing technology – that have been shown to help combat the most common and basic forms of Internet-based cyber threats. The technical controls have been identified by CESG (the UK Government’s National Technical Authority for Information Assurance) as the most effective security controls required to help prevent / resist low level cyber attacks:

1. Threats involving the use of publicly available tools that exploit known Internet connected servers and network devices (e.g. email servers, web servers, application servers, network routers and firewalls). These do not require any action from an individual within the organisation.
2. Threats involving malware that infects computers on an organisation’s internal network (including desktop PCs and laptops).   These require some user action to enable infection, such as opening an infected email attachment or clicking on a malicious website link.

What does the profile cover?

The profile covers five areas:

1. Firewalls and Internet Gateways
2. Secure Configuration
3. Access Control
4. Malware Protection
5. Patch Management

Opportunity for industry to comment

Industry has been asked to comment on the draft through the British Standards Institute.

What will the basic profile mean in practice?

• To implement the five basic technical controls effectively, an organisation will also need to have appropriate governance structures, training and education regimes, etc in place.
• Implementing this profile alone will not be sufficient to protect against the broad range of cyber attacks.  The profile does not necessarily present the security arrangements an organisation needs to have in place to protect against other forms of threat, including interception of wireless communications, insider attacks, theft or sophisticated threats (i.e. a threat with significant capability, funding and resource, typically those associated with advanced persistent threats).
• The technical controls presented are preventative in nature and exclude those typically associated with detecting and responding to cyber attacks.
• The aerospace, defence, security and space sectors are the target of more advanced cyber threats compared to other sectors.  The Defence Cyber Protection Partnership (DCPP) is therefore working with BIS and GCHQ to identify how the government’s (forthcoming) basic profile should be implemented in the defence supply chain.  The defence supply chain is likely to have to implement the basic cyber security controls with greater vigour and to a higher level of maturity and to have a more mature risk assessment, assurance and verification process.  The defence supply chain is also likely to have to implement controls in additional areas.