2008 legislation that requires all UK public sector services to report cyber security breaches in real-time revealed some shocking statistics, including 3,557 data breaches in healthcare alone.1
In June 2018, the UK government and the National Cyber Security Centre (NCSC) attempted to offset these risks across public sector organisations by implementing a new set of Minimum Cyber Security Standards (MCSS).
These standards consider 10 essential requirements and, as their name suggests, constitute a minimum set of measures that should be exceeded when possible. This is reinforced by the fact that after the implementation of the standards in 2019, 33% of UK public sector organisations still reported breaches.2
In this article, we’re going to look at what the MCSS includes in some detail. Then, we will look to explain how organisations can ensure that their processes supercharge those considerations for comprehensive cyber security solutions that withstand threats in the modern threat landscape. Let’s get started.
Suggested reading: To learn more about cyber security within the public sector, check out our blog — Fundamentals of of Public Sector Cyber Security
What are the requirements?
MCSS covers 10 cyber security requirements segmented into five sections of compliance, each of which we’re going to look at individually.
Threat identification should be at the root of any effective cyber security strategy, and is broken down into four subsections in the MCSS:
- Departments shall put in place appropriate cyber security governance processes: Management policies should draw clear lines of responsibility to named individuals with regards to the protection of secure information. Risk assessments should also be carried out against existing threats to internal security structures, while the security processes of supply chain partners should always be screened, either through requirements of assurance against HMG Cyber Security Standards or through the supply of a valid Cyber Essentials certificate.3
- Departments shall identify and catalogue sensitive information they hold: Records should be made with regards to any sensitive data held within an organisation’s repositories, specifically focusing on:
- What sensitive data is being processed?
- Why is that information relevant?
- Where is sensitive data stored?
- Which computer systems are being used to process it?
- What is the potential impact of the loss of that data?
- Departments shall identify and catalogue the key operational services they provide: Similar records should also be made regarding the services offered by government departments, outlining:
- Key operational services;
- Technologies and services that those operations rely on for availability and security;
- Other operational dependencies (e.g. power, cooling, data, people); and
- The impact that a loss of availability could cause.
- The need for users to access sensitive information or key operational services shall be understood and continually managed: Access to sensitive data should always be granted to system users in accordance with their roles, but security controls should be revisited periodically to ensure the management and removal of these permissions in the case of role changes or departure.
Putting in place adequate protections is an essential part of a proactive security approach. MCSS breaks these down into three crucial stages as follows:
- Access to sensitive information and key operational services shall only be provided to identified, authenticated and authorised users or systems: Authentication (ID, passcode, etc.) should be required before any user or system (in the case of highly sensitive operations) is granted access to sensitive information.
- Systems that handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities: Full software audits, tracking, validation, encryption, and patching among other protections (such as Domain-based Message Authentication and Reporting Conformance (DMRAC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF)) should be implemented across all systems, spanning four main areas of technology:
- Enterprise technology
- End-user devices
- Email systems
- Digital services
- Highly privileged accounts should not be vulnerable to common cyber-attacks: As well as being subject to complex passwords that change from default values and operate alongside multi-factor authentication where possible, highly privileged accounts for administrators and other high-access individuals should be segregated, and never used across ‘high-risk functions,’ such as web browsing or email access.
Detection ensures that risks are identified before damage is done or a breach occurs. According to MCSS, detection revolves around one primary standard, which is:
- Departments shall take steps to detect common cyber-attacks: Departments must define what needs protecting and why, and should capture events that can be combined with common threat intelligence sources to detect known threats. Attackers attempting to use common cyber-attacks should be unable to gain access to technology services without detection, and digital services that are attractive to cyber criminals should implement transactional monitoring techniques at all times.
Adequate and immediate responses should then be implemented, predominantly through one MCSS stipulation:
- Departments shall have a defined, planned and tested response to cyber security incidents that impact sensitive information or key operational services: Incident response and management plans should be implemented with clearly defined actions, roles, and responsibilities, including communication protocols in the event of a breach. Plans should also comply with the legal obligation to report all breaches involving personal data to the Information Commissioner’s Office, and should be tested regularly to ensure efficiency.4
Fast and efficient recovery from breaches is fundamental to ongoing protection and, according to MCSS, should involve one primary focus:
- Departments shall have well defined and tested processes to ensure the continuity of key operational services in the event of failure or compromise: Contingency mechanisms should be identified and tested to ensure the continuation of key operational services in the event of compromised systems. Business continuity plans should be well-practised, inform the immediate future technical protection of the system or service in question, and ensure that systematic vulnerabilities are identified and remediated.
Where should you go above and beyond?
MCSS provides an undeniably crucial baseline for public sector cyber security. However, as threats evolve, organisations need to consider ways to provide security best practices that offer more than these minimum requirements. A robust security strategy that’s even harder for cyber criminals to overcome should look to:
- Protecting sensitive information: Work from home arrangements that weren’t particularly relevant during MCSS implementations are now raising security questions for as many as 86% of business executives.5 This has highlighted the need for specified work from home security policies and VPN protections that drastically increase protection.
- Guarding against all types of cyber-attacks: MCSS stipulates the need to protect against common risks, but cyber crime increases of 31% across the pandemic alone have revolved mainly around new and evolving threats.6 This includes increasingly difficult to manage ransomware (as seen in the NHS WannaCry attack), and intelligent, socially engineered phishing scams.7 A heightened focus on training and responsive security plans should meet these risks head-on, as well as keeping existing MCSS policies ticking over to avoid long-standing risks.
- Penetration testing: Penetration testing outside of compliance expectations enables organisations to identify levels of technical risk that aren’t necessarily considered within MCSS. This makes it possible to account for arising threats during the configuration of security goals, creating a protective barrier with the potential to provide far more comprehensive security resistance.
- Understanding risk appetites (and tolerance): To meet their objectives, many public sector organisations will need to accept some level of risk that isn’t considered in MCSS. By taking the time to understand risk appetites and tolerance through comprehensive risk assessments, it’s far easier to align risk with strategic objectives and determine when action should be taken.
Further reading: For more on cyber security best practices, take a look at our blog — Cyber Security Best Practices in 2021: How to Do More With Less
Establish partnerships for the best outcomes
While MCSS guidelines raise the bar in terms of minimum security requirements, in the context of an evolving risk landscape, extensive security processes are essential for public sector organisations in order to avoid the damage that breaches can bring. Achieving this in-house is not only time consuming and costly, but also means the risk of falling behind compliance standards is very real.
Ongoing security protections that adhere to and enhance MCSS rely on adaptable and expansive solutions. Security partnerships like those offered by our team here at Six Degrees are here to make this a reality.
Using our understanding of the threats facing public sector organisations, we’ve developed affordable, easy-to-implement managed security solutions that understand the importance of cyber security as a journey, rather than a destination.
By working with you at every stage, we’ll help enforce policies that not only work alongside MCSS, but also account for new threats outside the scope of these minimum requirements, even in a risk landscape that’s evolving at every turn.
Contact us today and see how Six Degrees can help your organisation develop a robust cyber security posture.
Subscribe to the newsletter today
How and Why You Should Adopt a Cost-Benefit…