07 April 2014
The Institution of Engineering and Technology (IET) is today calling for greater clarity from the Government about which cyber security advice it wants UK businesses to follow. Its Cyber Security Implementation Profile, published today, is intended to define minimum cyber hygiene for UK businesses, but the Government has previously endorsed two other sets of cyber security controls: the Top 20 Critical Security Control published by the Council on Cyber Security, as well as its own 10 Steps to cyber security: an executive companion, which was published in September 2012.
Hugh Boyes, IET Cyber Security Lead said: “Having three separate sets of guidelines on cyber security, endorsing 20, 10 and 5 controls respectively, is very confusing. UK businesses are unlikely to understand which are the definitive guidelines and, worse still, there is a real danger that they will ignore the advice altogether, simply because there is no clear message about which guidelines are most applicable to them.
“For these new guidelines to have any genuine impact or conviction, the Government needs, as a bare minimum, to issue clear guidance about when, for example, the ‘10 Steps’ should be used rather than the ‘Implementation Profile’. Even better would be if the Government led from the front by auditing its own services against these latest guidelines, and then declaring the results publicly as a matter of urgency.”
The new Cyber Security Implementation Profile covers five basic controls that businesses need to consider: secure configuration, access control, malware protection, patch management, firewalls and internet gateways.
One of the control measures in the Implementation Profile relates to Patch Management. Hugh Boyes points out: “A large number of computers in both the public and private sectors are still running Windows XP, which is now over 13 years old. Microsoft announced in 2012 that they were withdrawing support of this aging operating system from 8 April 2014. Once this happens (tomorrow), there will be no further publicly available critical security updates and PCs will be increasingly vulnerable to harmful viruses, spyware and other malicious software that can steal or damage business data and information. The Cabinet Office has recently signed a £5.5m deal with Microsoft to provide additional technical support and security updates for a further 12 months, but this is at best a short-term stop gap measure.
“The Government should set an example by ensuring that PCs using the XP operating system within its IT estate are upgraded or replaced within the 12 month support contract the Cabinet Office has just signed with Microsoft. The Government has an open source software policy and this is a good opportunity to expand the use of open source operating systems within the public sector IT estate.”