By Josh Neame, CTO, BlueFort Security
As we get ready to wave goodbye to 2024, if you’re anything like me you’ll already be thinking about the challenges 2025 will bring. For many of us 1st January is when we spring into action with all those New Year’s resolutions to get fit, eat more healthily, spend less time on our phones, perhaps even lead a simpler life… Statistically most of us will have broken those resolutions by lunchtime on 2nd January. For those of us who work in cybersecurity, leading a simpler life (at work) was never really going to be a realistic goal.
Curious to know why?
For a start, in a well publicised speech to mark the launch of the National Cyber Security Centre’s (NCSC) annual report, new head, Richard Horne, warned that Britain and its allies are competing in a high-stakes contest for cyberspace between those attacking and “those of us who are using technology to conduct and improve our lives and prosperity.”
At the same time UK laws and regulations are rapidly changing to make sure that businesses are constantly – and consistently – working to improve their cybersecurity defences, to better protect data security and privacy.
What this all means is that for those of us working at the coalface of cybersecurity, ensuring compliance with the growing number of laws and regulations – and avoiding penalties and fees imposed for non-compliance – is not in the least bit simple.
Regulation versus framework
The words regulation and framework are tossed around IT security teams like confetti, one often mistakenly used to describe the other. One could argue it’s just semantics at the end of the day – if you have to adhere to it, it doesn’t matter what it’s called – but I’m a purist in this matter so I think it’s important to understand the difference.
Here goes: A regulation is a government-enforced set of security guidelines an organisation must follow to increase its cybersecurity standards. A cybersecurity framework on the other hand, offers organisations a pathway for improving their cybersecurity posture.
Examples of UK frameworks
1. Cyber Essentials & Cyber Essentials Plus
Cyber Essentials is a UK Government framework that offers a simple approach that most companies can work to. As the Government’s minimum baseline standard for cybersecurity in the UK, it covers the essentials and will protect an organisation from a wide variety of the most common cyber attacks.
The NCSC helps organisations responsible for some of the UK’s most critical services and activities to strengthen cyber resilience. The CAF consists of a set of principles that outline what an organisation should achieve, rather than a step-by-step guide to how to achieve it. The CAF has four key objectives that provide guidance on what processes and systems should be in place.
3. ISO/IEC 27001
ISO/IEC 27001 is a cybersecurity framework recognised internationally. It sets a standard for best-practice Information Security Management Systems (ISMS). It provides requirements for ISMS so organisations can effectively manage the controls and systems that will protect assets such as, financial information, intellectual property, employee details and third-party information from threats and vulnerabilities.
The UK’s regulatory obligations
From a regulatory standpoint, the UK has a solid legal setup to tackle the rising importance of cybersecurity. Laws are seen as a key tool to help improve cybersecurity results. In theory, this means companies from all industries are better prepared to handle digital threats, and avoid disruptions to their operations. Key cybersecurity laws and regulations in the UK include the Data Protection Act, GDPR and NIS, to name just a few.
As the UK’s only cross-sector cyber legislation, NIS boosts cyber and physical resilience. However, there’s a lot more that needs to be done to build more substantial resilience into the UK’s critical national infrastructure. If the UK is to withstand or recover from attacks by the most sophisticated state-level cyber threats, this increased resilience is non-negotiable.
This is the core reason behind the UK’s Cyber Security and Resilience Bill which will be introduced to Parliament in 2025. Formally proposed as part of the King’s Speech in July 2024, the objective of this Bill is to strengthen the current UK’s cross-sector cybersecurity laws to better protect the UK’s economy and infrastructure. It will update existing regulations and implement new rules to keep up with the EU reforms in this area.
When I was writing this post, there was very little information about the Bill itself, but the previous Government’s response to a consultation on amending the NIS regulations suggested that digital managed services would be brought into scope; incident reporting obligations will be expanded; a risk-based approach to regulation will be adopted; and a new power will be created to bring into scope critical suppliers or services on which covered services depend.
As the NCSC has stated in its annual report, this “new legislation won’t be an end in itself… And this may not be the only time we need new legislation to protect our infrastructure and economy…. We need to ensure we have the legislation we need to give the nation the tools it needs to contest the threats we face.”
Simplifying cybersecurity compliance
I spend a good deal of time meeting with and speaking to colleagues in the cybersecurity industry. Two questions consistently crop up: 1) how to definitively know which frameworks and regulations are in scope for their business and 2) how to ensure compliance. As additional frameworks and regulations get introduced, the challenge is only going to increase.
Those who know me well are familiar with the known unknowns and unknown unknowns that are pretty much my starting point when it comes to addressing the above concerns. Each organisation’s IT landscape is different. The one common theme is that they’re all extremely complex – and we know that’s what makes things tricky.
The one truism in cybersecurity is that you can’t protect what you don’t know you have. Yet, a recent study found that organisations globally report that they can “see” or monitor only 66% of their IT environments, leaving ample room for blindspots, including those in the cloud. While no organisation is immune from adversarial advances, the lack of full visibility means that organisations are potentially blind to any advances in those unseen environments.
How BlueFort can help
Our team of highly skilled consultants partner with CIOs, CISOs and SecOps’ teams to help simplify, consolidate and optimise their cybersecurity environment. Our tightly integrated security disciplines deliver complete solutions that ensure continuous cyber discovery, validation and control for your organisation. Through our Evolve service, we deliver flexible and on-demand access to skills and expertise to support your in-house security team.
There is no one-size fits-all approach to cybersecurity, and there’s definitely no proverbial silver bullet. On that I think we can all agree. By working with us and following our model – driven by industry standard methodologies including NIST, ISO27001, CyberEssentials+ and CTEM – the New Year’s resolution for a simpler life just might be in reach.
