CYBERUK is the UK government’s flagship cyber security event, hosted by the National Cyber Security Centre (“NCSC”). Held annually, the conference is an opportunity for the UK’s cyber security community to come together to learn from one another, discuss the changing threat landscape and prioritise online defence.
As well as being a forum for discussion, the event marks a critical moment in the cyber security news calendar. This year, government bodies and officials made some significant announcements that will markedly change cyber security regulations and strategies in the near future.
Without further ado, here’s what you need to know.
Changes coming to the Computer Misuse Act 1990
In her keynote speech, the Home Secretary, Priti Patel, announced the government’s intention to formally review the (“CMA”), to “maintain the UK’s competitive edge and counter the threats” the country faces. The Home Secretary also condemned ransomware pay-outs.
The CMA was first introduced in 1990 to prohibit unauthorised access to computers and the data they store. It has been revised over the years. For example, denial-of-service attacks were added to the legislation as a violation in 2006.
Despite these amendments, the CMA has come under criticism – particularly by the legislative campaign group, the Criminal Law Reform Now Network and CyberUP, an advocacy group of UK-based cyber security professionals.
Both bodies are campaigning for reform to the CMA, arguing that it is no longer fit for purpose. Their criticisms include that Section 1, “prohibiting unauthorised access to computers, inadvertently criminalises a large proportion of cyber security and threat intelligence research and investigation by cyber security professionals.”
They also state the Act “provides a confused legal framework, with outdated and ambiguous terminology, and an unjustifiably broad application.”
While it’s unclear if the announcement is a direct result of these ongoing campaigns, it is encouraging to hear the government is determined to ensure CMA 1990 is updated to be fit for purpose.
£22m budget for cyber capability building
The UK announced cyber capability funding to protect developing countries, such as Africa and Indo-Pacific nations, from malevolent cyber influence. In his speech, Foreign Secretary, Dominic Raab, warned about malicious state activity, stemming from “authoritarian regimes” such as North Korea, Iran, Russia and China.
As part of the investment and in conjunction with Interpol, the UK will create a new cyber operations centre in Africa to “improve co-operation on cybercrime investigations, and support the countries involved to mount joint operations.”
A refreshed 10 steps to cyber security
The NCSC’s ’10 Steps to Cyber Security’ guidance was originally published by the NCSC’s predecessor in 2012. In a new blog post, the NCSC acknowledged “quite a lot has changed since 2012. We have not only seen changes in the external environment (such as the growth of cloud services and more recently the shift to home working), but also changes in the nature of the threats facing organisations.”
In line with the evolving landscape, it has therefore refreshed the guidance. Here’s an overview of what’s changed:
|10 Steps 2021||What’s changed||10 Steps 2012|
|1. Take a risk-based approach to securing your data and systems.||Unsurprisingly, no change at number one. Cyber risks should be considered alongside other business risks, and discussed at an appropriate level in your organisation.||1. Risk Management Regime|
|2. Engagement and training. Collaboratively build security that works for people in your organisation.||Promoted from Step 5 to Step 2, this recognises people are at the heart of good cyber security. There is further guidance on a positive cyber security culture.||5. User education and awareness|
|3. Asset management.|
Know what data and systems you have and what business need they support.
|New! You should establish and maintain knowledge of your assets, including what’s patched, about to go out of service and your cloud storage settings.|
|4. Architecture and configuration.|
Design, build, maintain and manage your systems securely.
|A common sense combination of two previous Steps (2 & 3) into a new Step 4. This advises you include security from the outset and enable your systems to remain secure throughout their lifecycle.||2. Secure configuration|
3. Network security
|5. Vulnerability management |
Keep your systems protected throughout their lifecycle.
|New! You should establish a vulnerability management process, so you gain an up to date understanding of your vulnerabilities, the risks they present and the cost of mitigation.|
|6. Identity and access management.|
Control who and what can access your systems and data.
|This step has been refreshed, but the principle, which is also a fundamental for Cyber Essentials, remains important.||4. Managing user privileges|
|7. Data security. |
Protect data where it is vulnerable.
|New! This step has been updated to reflect the increased modality of data, its ease of transmission and shareability. The guidance now also includes advice on data backups.|
|8. Logging and monitoring. Design your systems to be able to detect and investigate incidents.||There has been a change in emphasis with logging added: it’s easy to spot the abnormal if you monitor routine behaviour. Spotting incidents early on can reduce the impact on your business.||8. Monitoring|
|9. Incident management. |
Plan your response to cyber incidents in advance.
|Plan for when, not if, an attack happens, and think of a cyber incident as a business issue – not just an IT one. |
For help with crafting an incident response plan, read our guide here.
|6. Incident management|
|10. Supply chain security. Collaborate with your suppliers and partners.||New! Codified in the 10 Steps, this proposes identifying and managing risk in your supply chain.|
What’s out and why?
- Malware prevention
Malware is a catch-all term for malicious software protection, which is a requirement of Cyber Essentials. The updated 10 Steps takes a more mature, holistic approach to dealing with malware, weaving in mitigation protocols and prevention throughout the 10 steps.
- Removeable media controls
Remember the days of downloading your work onto USB sticks and CDs? With the proliferation of cloud applications, most of the workforce don’t do this anymore, which is why this step has been retired.
Of course, locking down autoruns on USB drives sensibly remains a prerequisite for Cyber Essentials. However, now that data is stored in the cloud and accessed via the internet, removeable media controls have mostly lost their relevancy.
- Home and mobile working
Homeworking used to be a tightly controlled novelty in most organisations. But the last year has changed everything. Gartner research shows that over two-thirds of companies (74%) plan to keep remote work, even after COVID-19.
For this reason, home and mobile working is no longer its own step. It has been integrated throughout the guidance, under the assumption that – at least some of the time – employees will be working remotely.
New security guidance for emerging technology start-ups
The NCSC also advertised a new resource for small businesses working in the emerging technology sector. The guidance encourages companies to be proactive about cyber security. It advocates a ‘security from the start’ culture, whereby security is factored into all business decisions. It also offers risk management practices for working with partners, suppliers and expanding into new markets.
You can read the full guidance here.