NCSC To Revamp Cyber Risk Management Guidance

HSBC, security, hacking

The National Cyber Security Centre said it will aim to present a ‘toolbox’ of approaches for different types of organisations and situations

The NCSC's headquarters in Victoria
The NCSC’s headquarters in Victoria

The National Cyber Security Centre (NCSC) is planning to rework its existing guidance on cyber risk management, a step it says is in recognition of the field’s growing complexity.

The step follows on from the NCSC’s first anniversary earlier this month and will see the body, which is part of GCHQ, taking a different approach from the CESG, which was the UK government’s national technical authority for information assurance, and was one of the NCSC’s predecessor organisations.

The CESG promoted a single method for conducting cyber risk management within the British government, and the NCSC said this experience showed it that a more varied “toolbox” was necessary.

“Mandating the use of specific techniques across a field as broad as the UK public sector, can have unintended consequences,” said the NCSC’s risk research lead, identified as John Y, in an official blog post. “Risk management for cyber security is simply too complex to be managed using a single method.”

Small business advice coming up first

John Y said the upcoming guidance, which is to begin with information for small organisations, was developed with partners including industry, government organisations and university researchers.

The NCSC said it would draw on other established domains of risk management, such as industrial safety engineering, and would aim at identifying different techniques and explaining the strengths and weaknesses of each approach.

The first stage of the new guidance is “nearly ready” and is to be delivered before Christmas, John Y said.

It will include a discussion of risk management fundamentals for small organisations, including an examination of two approaches, one focusing on technical components and the risks they’re subject to, and the other looking at threats that can affect an organisation’s IT system looked at as a whole.

The techniques are based on ongoing research by the NCSC’s Sociotechnical Security Group, and later on will include causal analysis of cyber risk, techniques for quantitatively analysing it and discussions of how it’s perceived and communicated, John Y said.

But he promised the NCSC would avoid jargon and would aim to deliver guidance that was “succinct and useful”.

“The aim here is to make it clear what ‘good enough’ looks like, for those working with very limited resources,” he said, referring to the advice for smaller organisations.

UK targeted

The current set of risk management guidance is to be retired, with useful elements to be repurposed.

The NCSC earlier this month published a set of five basic steps, including backing up data and securing mobile devices, that it said small businesses can take to protect their data from attacks.

The agency also offers a set of 10 recommended security steps for larger businesses and a security certification scheme called Cyber Essentials.

The Department for Digital, Culture, Media and Sport (DCMS) found earlier this year that nearly half (45 percent) of all micro or small businesses had been affected by a computer security breach or attack in the past year.

The NCSC recently revealed the UK had been hit by more than 500 “significant” cyber attacks over the past 12 months.

Do you know all about security in 2017? Try our quiz!