The UK government has published a minimum cyber security standard, which can be used by any organisation to improve its defence against cyber attacks.
In the document are the minimum security measures that government departments are now expected to implement in order to protect their information, technology and digital services. It will help them meet their Security Policy Framework (SPF) and National Cyber Security Strategy obligations.
It is the first cyber security technical standard the government has developed in collaboration with the National Cyber Security Centre (NCSC). It will be incorporated into the Government Functional Standard for Security.
According to the published document: “The standard presents a minimum set of measures and departments should look to exceed them wherever possible.
“Over time, the measures will be incremented to continually ‘raise the bar’, address new threats or classes of vulnerabilities and to incorporate the use of new Active Cyber Defence measures that departments will be expected to use and where available for use by suppliers.”
Active Cyber Defence is a programme designed by the National Cyber Security Centre, which aims to tackle cyber attacks in a relatively automated and scalable way to improve the country’s resilience.
It revolves around four programmes – Web Check, DMARC, Public Sector DNS and a takedown service. They have resulted in the UK share of visible global phishing attacks dropping from 5.3 per cent in June 2016 to 3.1 per cent in November 2017. Active Cyber Defence also removed 121,479 phishing sites hosted in the UK, and 18,067 worldwide spoofing UK government authority.
Compliance with the new minimum security standards can be achieved in many ways, according to the government, depending on the technology choices and business requirements in question.