On November 1, the U.K. government published its National Cyber Security Strategy 2016-2021 This 81-page strategy explains the U.K. government’s approach to tackling and managing cyber threats in the U.K. and sets out how the U.K. will aim to be one of the most secure places in the world to do business in cyberspace.
Having read a number of information security policies over the years, I am struck by how much more detailed this U.K. Strategy is compared with heretofore efforts. Here are a few examples of what I mean:
- The document defines “cyber security as the protection of information systems (hardware, software and associated infrastructure), the data on them, and the services they provide, from unauthorised access, harm or misuse. This includes harm caused intentionally by the operator of the system, or accidentally, as a result of failing to follow security procedures.” This seems to me to be a broad but accurate definition. It acknowledges that effective cyber security is both an electronic and physical security challenge and that there are a number of other operational risk considerations to cyber security including intentional and unintentional human error, and harm resulting from natural and man made disasters.
- The strategy defines threats and vulnerabilities, the role of defense and deterrence and the strategy for strengthening cyber security skills and human resources.
- The strategy is forward looking, calling for “effective horizon scanning” while promoting the use of metrics to gauge progress and effectiveness of the cyber security strategy.
- The strategy sets a cyber security bar for all U.K. organizations, public and private, stating: “we will not accept significant risk being posed to the public and the country as a whole as a result of businesses and organisations failing to take the steps needed to manage cyber threats” To do this, the strategy states: “The Government will make use of all available levers, including the forthcoming General Data Protection Regulation (GDPR), to drive up standards of cyber security across the economy, including, if required, through regulation.
- It endorses The National Data Guardian for Health and Care data security standards.
- The strategy will be promoted to businesses, by working “through organisations such as insurers, regulators and investors which can exert influence over companies to ensure they manage cyber risk” and to “highlight the clear business benefits and the pricing of cyber risk by market influencers.”
If there was any question as to whether “Brexit” meant the U.K. was going to exit the EU General Data Protection Regulation, this Strategy makes it clear that complying with GDPR remains a priority. There is much to comply with the GDPR. Please read my blog to get more background about this significant regulation. If your organization is doing business in the U.K., it is time to familiarize yourself with this new Strategy and prepare your organization for the compliance obligations which will follow on.