The UK government has announced a new Cyber Action Plan which aims to relaunch the country’s cyber program and invests over $200 million into public cybersecurity defences.
The plan recognises that whilst digitisation of public services offers huge advantages in terms of efficiency and value for money, these benefits can only be realised if public services are secured to be trustworthy and resilient.
Central to the plan is a government Cyber Unit, which will be established to coordinate rapid improvements in cyber defences across departments and the wider public sector. This is also in keeping with the government’s objective to digitise public services, with a view to making these more accessible and efficient whilst, at the same time, safeguarding public trust in the reliability of such systems.
According to Gabrielle Hempel, Security Operations Strategist at Exabeam, the new policy document offers many good points and helps to guide businesses as to how to think and to measure their vulnerabilities.
Hempel selects three areas of importance.
The first is that the measures “Support what many of us in the industry have been saying: that voluntary frameworks and advisory models do not produce measurable security outcomes. If standards aren’t enforceable, then cyber posture will continue to degrade quietly until failure becomes apparent through public harm.”
The second considers the finances, with Hempel stating: “The true vulnerability that many organizations (and governments) overlook isn’t hackers, it’s technical debt. As identified in the plan, legacy infrastructure is the systemic weakness. Unsupported systems can’t be secured at scale.”
In terms of the specific attack areas and the focal points for businesses, Hemple directs attention to: “Supply chain is now the primary attack surface for government. Many of the high-impact incidents we have seen in recent years haven’t been direct intrusions, they have been inherited through vendors, MSPs, and service providers. Strengthening contractual obligations for suppliers is a must to truly address the areas that are lacking.”
Another area of consideration with how the success or failure of the policy can be judged. Also, from Exabeam, Findlay Whitelaw, Cybersecurity Strategist and Researcher explains to Digital Journal that businesses needed to put aside appropriate finding.
According to Whitelaw: “One thing that stands out is these feel less like policy changes and more like a shift towards how cyber effectiveness will be judged. The direction of travel isn’t just stronger standards or tighter supplier obligations, but how quickly risk is identified, prioritised and contained when things don’t go to plan. Technical dept and supply chain exposure amplify this challenge.”
Whitelaw summarises: “To me, these changes signify a pivot from: do you have controls, to can you prove they work at speed and at scale.”
