In a 2014 survey on cyber security breaches, the Department for Business, Innovation & Skills (BIS) reported that 81% of large companies and 60% of small businesses suffered a cyber breach. As part of its responsibility to support UK businesses to guard against this significant threat, BIS has published a number of documents providing updated guidance on cyber security.
On 16 January 2015, BIS published its second annual FTSE 350 Cyber Security Governance Health Check (the tracker report). The tracker report sets out the results of a BIS survey of FTSE 350 firms regarding the state of their cyber security and awareness of current threats. The results of the tracker report are generally positive, showing an improvement on the preparedness for, and awareness of, cyber threats. The tracker report’s key findings were that:
- Awareness of cyber security as a business risk rose sharply in 2014, with 88% of those surveyed including cyber risk in their risk register, compared with 58% in 2013.
- BIS’s “10 Steps to Cyber Security” guidance has received a good take-up by those surveyed, with 58% of respondents using it to assess their organisation’s preparedness.
- There has been an improvement in board-level knowledge of cyber security since 2013, with 30% of those surveyed indicating that their board received regular briefings from their Chief Information Officer or head of security, compared with 18% in 2013.
- Boardrooms also have a better understanding of risk within their supply chains, with 59% of those surveyed having either a basic or clear understanding of where their organisation’s critical information and data are being shared, up from 52% in 2013.
- Interestingly, 92% of those surveyed had a clear or acceptable level of understanding of the value of their organisation’s critical information and data assets. However, 65% of respondents admitted that they rarely or never review their key information and data assets to confirm the legal, ethical and security implications of retaining them.
BIS hopes that UK organisations can use the tracker report to gain a better understanding of cyber security and the potential risks that they face. BIS plans to repeat its survey of FTSE 350 companies in 2015.
Cyber Essentials Scheme
BIS launched the Cyber Essentials Scheme (the scheme) in June 2014. The scheme is aimed at all organisations, regardless of their size and the sector in which they operate. The purpose of the scheme is two-fold:
- To outline the basic measures that organisations should take to mitigate the most common cyber security risks. These focus mainly on: boundary firewalls and internet gateways; secure configuration; access control; malware protection; and patch management.
- To provide an assurance framework and certification process for organisations to use as a means of demonstrating their cyber security to customers, investors, insurers and other interested parties. Organisations can apply for two forms of certification: Cyber Essentials, which is based on a verified self-assessment; or Cyber Essentials Plus, which is assessed by independent testing.
The scheme provides for the government to appoint accreditation bodies for Cyber Essentials and Cyber Essentials Plus. The accreditation bodies then appoint certification bodies, which can certify organisations that comply with the relevant requirements. In January 2015, BIS amended the assurance framework to remove the option for an organisation to be both an accreditation body and a certification body.
From 1 October 2014, it has been a mandatory requirement for suppliers bidding for government contracts that involve the handling of personal data or the provision of certain technical services to comply with the scheme.
Guidance for businesses
Since September 2012, BIS has maintained an online portal of cyber security guidance for businesses. A central element of the guidance is BIS’s 10 Steps to Cyber Security, which sets out a high-level summary of the ten key issues that BIS recommends organisations should address to safeguard against cyber attacks. This guidance aims to help organisations assess whether their approach to corporate risk takes adequate account of cyber security. It also sets out key questions that CEOs and boards should be asking of their organisations in order to ascertain whether the cyber security risks are being managed adequately and effectively.
On 16 January 2015, BIS updated its guidance by publishing a resource on common cyber attacks. The publication uses case studies to illustrate what a cyber attack typically looks like and aims to help businesses understand how best to manage the most common cyber risks that they face.
Communiqué on essential services
On 5 February 2015, BIS published a joint communiqué on strengthening the cyber security of the UK’s essential services following a meeting attended by ministers and senior representatives from the government and UK regulators. The meeting was held to discuss the challenges posed by cyber security to critical infrastructure in the UK at a time when it is increasingly reliant on cyber systems and networks.
The communiqué rates cyber security as a top tier national security priority and states that it is the responsibility of the government and regulators to assist providers of the UK’s essential services in securing their systems and networks. The communiqué promises that the government and regulators will:
- Work to embed cyber security into the firms and markets that they oversee, including by encouraging organisations to use BIS’s various guidance.
- Assess the state of cyber security across each sector and work with industry to address vulnerabilities.
- Identify aggregated risks within and across sectors.
- Work with industry to increase information flows on threats, vulnerabilities and mitigation strategies.
- Support sectors to develop effective incident detection and management capabilities.
Please contact us about the issues raised in this article or any other legal matter relating to your business.