The Scheme (in its own words) “identifies the security controls that organisations must have in place within their IT system in order to have confidence that they are beginning to mitigate the risk from internet-based threats”. Moreover, “all organisations are free to implement it within their organisation, and self-assess themselves against it.” In other words it’s a basic cyber-security standard with a kite mark system bolted on (although certification under the kite-mark system won’t be available until summer 2014).
The Scheme is aimed at ‘small and medium-sized organisations’ (acknowledging that most larger organisations will hopefully already be addressing their cyber threats as part of a wider programme). It contains some useful practical guidance grouped under five key headings, as follows: (1) Boundary firewalls and internet gateways’ (2) Secure configuration (3) Access control (4) Malware protection and (5) Patch management. It even comes with its own system of tiers (gold, silver and bronze), to reflect the different levels of rigour a business has put into its cyber-security controls.
However, given that this is a voluntary scheme, the question is will it make any difference to the cyber-security landscape?
The hope is that the simplicity of the Scheme will encourage its widespread and early adoption: it is certainly true that in the current climate, any steps to demonstrate an awareness of privacy/cyber security may be well received by customers and consumers alike details can be found here. It is also true that the Scheme is straightforward, especially when compared to other cyber-security frameworks, notably the US Cybersecurity Framework issued in February 2014 by the National Institute of Standards and Technology (for further information see our blog here).
However, perhaps the real test of whether the Scheme will gain widespread traction is whether businesses start to insist upon their suppliers adhering to its provisions in their contracts for the receipt of goods or services. The UK government has said that it will, in time, “look to use [the Scheme] where relevant and proportionate in its procurement”. The private sector may wish to follow suit. Whereas requiring suppliers to comply with a voluntary cyber-security standard may previously have met with some resistance amongst smaller organisations (given the costs of compliance and variety of standards available), its simplicity and government backed status may head off any such resistance with respect to the Scheme. Given the scale and importance of public sector procurement in the UK, a less equivocal commitment to the use of the Scheme by central government would have been helpful and headed off any criticism of the government failing to practice what it is spending £860 million preaching.