Does the UK need to improve IT security standards?

The UK Government has said new laws are needed to drive up security standards in outsourced IT services used by almost all UK businesses.

The way organisations report cyber security incidents and reforming legislation so that it is more flexible and can react to the speed of technological change, are other proposals made by the government.

Minister of State for Media, Data, and Digital Infrastructure, Julia Lopez, said: “Cyber attacks are often made possible because criminals and hostile states cynically exploit vulnerabilities in businesses’ digital supply chains and outsourced IT services that could be fixed or patched. The plans we are announcing today will help protect essential services and our wider economy from cyber threats.

“Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra.”

Improving the cyber security of companies providing essential services

Research by the Department for Digital, Culture, Media and Sport shows only 12% of organisations review the cyber security risks coming from their immediate suppliers and only one in twenty firms (5%) address the vulnerabilities in their wider supply chain.

In order to improve the cyber security of companies that provide essential services such as water, energy, transport, healthcare, and digital infrastructure, the Network and Information Systems (NIS) Regulations came into force in 2018.  

The government now wants to update the NIS Regulations and widen the list of companies in scope to include Managed Service Providers (MSPs) which provide specialised online and digital services, such as security services, workplace services and IT outsourcing. The government has now launched a consultation on amending the NIS regulations which include proposals to:

• Expand the scope of the NIS Regulations’ to include managed services. These are typically provided by companies which manage IT services on behalf of other organisations.
• Require large companies to provide better cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO.
• Give the government the ability to future-proof the NIS regulations by updating them and if necessary bring into scope more organisations in the future which provide critical support to essential services.

Providing the UK Cyber Security Council with new abilities 

In March 2021, the government established and funded the UK Cyber Security Council, a new independent body to lead the cyber workforce.

New proposals would give the council the ability to define and recognise cyber job titles and link them to existing qualifications and certifications. People would have to meet competency standards set by the council before they could utilise a specific job title across the range of specialisms in cyber security.

This in turn would make it easier for employers to identify the specific cyber skills they need in their organisations and create clearer information on career pathways for young people as well as existing practitioners, without providing unnecessary barriers to entry and progression.

Simon Hepburn, CEO at UK Cyber Security Council, said: “The UK Cyber Security Council is delighted that these proposals recognise our cyber workforce lead role that will help to define and recognise cyber job roles and map them to existing certifications and qualifications.

“We look forward to being involved in and contributing to this important government consultation and would encourage all key stakeholders to participate too.”