Saturday, April 27, 2024
Font size: A A A
Our events:
Security Twenty
Women in Security Awards
SUBSCRIBE TO THE MAGAZINE ADVERTISE WITH US
Latest Jobs
Post a Job Ad
Training

Draft cyber code

by Mark Rowe

The UK Government has brought out a draft Code of Practice on cyber security governance, aimed at directors in business.

Viscount Camrose, Minister for AI and Intellectual Property at the Department for Science, Innovation and Technology (DSIT), said: “Cyber attacks are as damaging to organisations as financial and legal pitfalls, so it’s crucial that bosses and directors take a firm grip of their organisation’s cyber security regimes – protecting their customers, workforce, business operations and our wider economy.  This new code will help them take the lead in safely navigating potential cyber threats, ensuring businesses across the country can take full advantage of the emerging technologies which are revolutionising how we work.  It is vital the people at the heart of this issue take the lead in shaping how we can improve cyber security in every part of our economy, which is why we want to see industry and business professionals from all walks coming forward to share their views.”

The code, written with the UK official National Cyber Security Centre (NCSC), suggests companies have plans to respond to and recover from potential cyber incidents; that the plan should be regularly tested; and that a business has a formal system for reporting incidents.

NCSC CEO Lindy Cameron said: “Cyber security is no longer a niche subject or just the responsibility of the IT department, so it is vital that CEOs and directors understand the risks to their organisation and how to mitigate potential threats. This new Cyber Governance Code of Practice will help ensure cyber resilience is put at the top of the agenda for organisations and I’d encourage all directors, non-executive directors, and senior leaders to share their views. Senior leaders can also access the NCSC’s Cyber Security Board Toolkit which provides practical guidance on how to implement the actions outlined in the Code, to ensure effective management of cyber risks.”

The call for views is open until March 19.

Comments

Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, said: “The threat landscape is constantly evolving, so organisations need to keep pace and ensure that they regularly review and upgrade their defences. Some approaches that worked just a few years ago are now obsolete and attackers change their profile far quicker now, so it is incredibly difficult to identify which packet requests are nefarious. Companies should try to deal with DDoS traffic on the edge of their network immediately, and employ the latest tools such as AI, which can help with reactive misuse, anomaly detection and network profiling techniques.
He urged senior management to have a more holistic understanding and approach to cyber; and IT departments must be able to maintain security protocols or policies. “Inevitably, this means increasing the amount of IT security staff and ensuring all staff are sufficiently trained, even if just basic cyber skills.”
Business leaders must prioritise cyberthreats as a major business risk, given the rate of change in the threat landscape, and the effect a successful attack can have on an organisation’s business continuity and reputation, says Darren Anstee, chief technology officer for security at Netscout.
“The Code of Practice doesn’t call out specific types of cyberthreats, but any risk management or incident handling processes must be broad enough. The Code does mention the need to identity key areas such as important processes, data and services that are critical to a business – but – we must remember that there are many different types of cyberthreats which target these. Each type may have different risks associated with it, and incident handling will also vary.
“Assessing the recommendations listed in the Code of Practice, there is no reference to the importance of working with other organisations or sharing of data. Unfortunately, the bad actors out there are very good at sharing tools and techniques – organisations should follow suit, working with one another, or via industry and government institutions that can facilitate communications.
“The importance of an incident handling plan cannot be overestimated, but testing should take place quarterly, or at worst every half year. Given the rate of change in every business today, testing annually is more likely to focus on where the plan is out date, rather than creating familiarity and optimising processes, which are just as important.”

Dan Morgan, Senior Government Affairs Director for Europe and APAC at SecurityScorecard recommended cyber risk ratings as an objective, quantifiable measure of an organization’s cyber security posture, akin to a credit score for cyber health. He said: “We urge the UK government to consider the mandatory inclusion or encouragement of cyber risk ratings in the final version of the Cyber Governance Code of Practice. Such a move will significantly contribute to the overall security and resilience of the UK’s digital economy.”

Related News

  • Training

    Tavcom at IFSEC

    by Mark Rowe

    Tavcom has announced that ‘Integration’ will be the theme of the lectures in the Tavcom Training Theatre at IFSEC International 2014. With…

  • Training

    Anti-terror basics

    by Mark Rowe

    A security consulting firm, Minieri Associates, has released a paper titled Anti-Terrorism Security 101. The industry veteran Michael Minieri describes the paper…

  • Training

    Imbert Prize winner

    by Mark Rowe

    Agniete Pocyte, pictured, a graduate of the University of Glasgow, is the winner of the Association of Security Consultants’ (ASC) Imbert Prize…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

News

Products

Explore

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing

Close