Business faces a challenging landscape of myriad cyber security standards, a perceived lack of guidance on best practice from Government and continued budget pressures, all in the face of increasing cyber security incidents. However, progress is being made in harmonising cyber security protocols across the EU and approval has been given to a proposed Network and Information Security Directive (which may include mandatory obligations on public authorities and market operators). This article considers current and future cyber security practices.
In November 2013 the Department for Business, Innovation and Skills (BIS) published a report into cyber security standards, having commissioned research into their availability and adoption within the UK private sector. In December 2013, the European Telecommunications Standards Institute (ETSI) published the final report from its Cloud Standards Coordination initiative, alongside the first release of the European Commission's 'Rolling Plan on ICT Standardisation'. During March, a revised draft of the Network and Information Security Directive on cyber security regulation in the EU was voted through the European Parliament. Security still sits at the heart of the debate over e-commerce and digital technology, and a harmonised approach to security standards is moving closer.
Digital Agenda for Europe
The Digital Agenda for Europe aims to maximise digital technologies and drive economic expansion. It is the first of seven initiatives under Europe 2020, the EU's strategy for smart sustainable and inclusive growth. Under that agenda, the EC will annually publish recommended standardisation activities required in support of the EU policy activities. The current policy areas of focus are:
- Societal Challenges
- Innovation for the Digital Single Market
- Sustainable Growth
- Key Enablers and security
Within those, the Key Enablers and security policies (including Cloud computing, Network and Information Security, ePrivacy) are at the forefront of the current debate on barriers to expansion and the most pressing area for harmonisation. Before growth under the Digital Agenda can be realised, common standards and a safe and reliable environment need to be created.
PWC, in its 'Information Security Breaches Survey 2013' report (commissioned by BIS), has found that security breaches reached their highest ever levels in 2013. Whether measured by respondents that suffered a breach, average breaches per year, or their cost, 2013 results were level or increased from 2012, notably for small businesses:
To view the table, click here
Security budgets are more significant, forming on average 10% of respondents' IT budgets, with over 30% planning an increase. However, spend is not always effectively targeted. Implementation of the Government's cyber security guidance is 'patchy'; 42% of large organisations reportedly do not provide any ongoing security awareness training to their staff.Affected companies experienced around 50% more breaches than during the previous year. The total cost of security breaches across the UK private sector is estimated in the billions of pounds and has roughly tripled since 2012.
BIS has found that there are a number of factors constraining organisations from investing in cyber security:
- Global organisations are finding increasing issues with international data sharing.
- There are few cyber security standards covering products and services, and few assured products and services available in the UK market.
- A perceived lack of guidance on best applicable standards and their implementation.
- Difficulty in identifying a business case due to lack of guidance/legislation.
Unfortunately businesses face a range of unclear and unconformed security standards and procedures. In attempting to shortlist the most comprehensive cyber security standard PWC found that there is no single identified standard that comprehensively covers cyber security.
BIS' research found over 1,000 cyber security related standards published globally, without a single common (or conformed) underlying standard. Amongst those only 11% were sector specific (with 5% relating to the financial services sector) meaning the majority of organisations (67%) employed organisation-specific standards (increasing inconsistency). Overall, only 25% of organisations invested in the full implementation of at least one standard (and ¼ of those go on to invest in external certification).
Interestingly, government published cyber security standards are not prevalent; 77% of standards either originated as international publications or were cherry picked from localised publications and re-branded. This is something that the European Commission is seeking to address as part of its Digital Agenda for Europe.
Driven by the European Digital Agenda ETSI recently published its report into Cloud Computing Standards. The research was aimed identifying a detailed map of the necessary standards and recognising recommended technical specifications for the protection of personal information.
ETSI recommends further work is required to achieve meaningful harmonised security standards, in particular regarding:
- Interoperability (standardisation of API's, data models or other technical features).
- Security (relating to incident management, cloud forensics, and cloud supply chain accountability management).
- Service levels (including definitions for Service Level Objectives, and related metrics).
This month the European Parliament voted through a revised draft of the Network and Information Security Directive (NISD) which aims to harmonise cyber security across the EU and will impose mandatory obligations on public authorities and market operators. If implemented, this may mean a change in operating practices for some regulated companies, or the elevation of cyber security as a strategic business concern. The European Council will now work together to agree a common approach across Member States to NISD, ahead of an anticipated deadline for adoption in December 2014. NISD is likely to be incorporated into national law by mid-2016.
Current best practice
Businesses are waiting for a proposed basis for a harmonised security standard. Until one is published, businesses should note the following minimum steps recommended by the Government to protect against security incidents:
- Develop a mobile working policy & train staff to adhere to it, and protect data in transit & at rest.
- Produce policies covering acceptable & secure use of systems and a staff training programme.
- Establish incident response & disaster recovery capability (regularly testing associated plans).
- Establish an effective governance structure and produce information risk management policies.
- Establish account management processes and limit the number of privileged accounts.
- Produce a policy to control access to removable media.
- Establish an IT network monitoring strategy and produce supporting policies.
- Apply security patches and ensure that the secure configuration of IT systems is maintained.
- Produce a malware policy and establish anti-malware defences that are used regularly.
- Protect your networks against external, and internal, attack. Manage the network perimeter. Filter out unauthorised access and malicious content. Monitor & test security controls regularly.