Within the cyber-security industry, many commentators have suggested that Cyber Essentials - the government backed certificication scheme for ensuring basic cyber-hygiene, is set at too low a bar. But it seems it has still proven too high for many, including both SMEs and some large organisations such as the NHS, hence the revision underway is intended to simplify it further, Emma Green, head of Cyber Security Incentives and Regulation Team at the Department for Digital, Culture, Media and Sport told SC Media UK.
She explained, "It needs to be more nuanced, to describe what 'good cyber-security' looks like for different organisations with different circumstances. Patching within two weeks can be very difficult to achieve for smaller SMEs."
In a keynote speech at yesterday's SC Congress 2019, held in West London, Green said that organisations need to take appropriate action to protect themselves and their customers. She added that cyber-security threats are "multi-dimensional and intangible, making it difficult for organisations and the public to conceptualise the risk".
"Basic good cyber-security behaviours can prevent the vast majority of attacks, but have not been adopted widely enough across the UK economy and society," she warned.
Green urged the industry to close the gap between awareness and action. "Further Government and industry interventions are required to deliver a step change in organisational behaviours and actions on cyber-security."
Green warned that the cyber-threat to the UK was significant and growing and the motivation behind attacks, while varied, was focused on exploiting organisations for profit.
She said the ambition of the government and her department was that "every organisation in the UK is cyber-secure and resilient to support a prosperous digital economy".
But for this to happen, organisations needed to know what to do to be secure and resilient, take appropriate action to protect themselves and their customers, have access to the products and services they need, and have access to the cyber-security skills they need.
Green said that organisations could look to guidance issued by the National Cyber Security Centre (NSCS) to find out how they can be secure and resilient, such as the NCSC’s "10 Steps to Cyber Security" and "Board Toolkit: five questions for your board’s agenda". She added that the NCSC was established to be a "one-stop shop" for such information.
On the second point, Green said organisations need to have access to products and services they need to be secure in the digital economy. She pointed to initiatives such as HutZero, which helps companies get ideas for cyber-security businesses off the ground and the London Cyber Innovation Centre which brings innovators, academics, government, stakeholders and corporates together to drive investment in new cyber-security products and services.
Building cyber skills
To be safe in the digital economy, organisations will require access to the cyber-security skills they need. Green said that the government published a skills strategy in 2018 to understand the challenges of threats present to demands for cyber-security skills.
There have also been efforts such as the Cyber Discovery programme which helps students in secondary schools learn more about jobs in cyber-security. She also pointed other programmes such as the Cyber Skills Immediate Impact Fund to increase the diversity of those working in the UK cyber-security sector and the CyberFirst competition that looks at increasing the participation of girls in cyber-security.