How does UK legislation match up to the NIST Cybersecurity Framework?

Increasingly aware of the growing threat that cybercrime poses to private businesses and public organisations alike, governments around the world have begun implementing legislation geared towards counteracting it. One of the first to do so was the USA, which brought in the original version of its Cybersecurity Framework in February 2014, initially aimed at critical infrastructure providers.

The Americans have since polished up that framework in a second iteration, published earlier this year, and several other governments around the world have followed suit. The UK hasn’t been sluggish in its response, either, drafting and enacting several different pieces of legislation aimed at covering the same ground as their American counterpart. But what exactly does that ground entail?

What is the NIST Cybersecurity Framework?

The CSF is an instructional set of guidelines aimed at allowing businesses of all shapes and sizes to optimise risk management, boost defences and minimise and mitigate attacks in a cybersecurity context. It is not a rigid rulebook for how companies can go about tightening up their cybersecurity infrastructure, but rather a loose framework which encourages interpretation, adaptation and collaboration with existing security systems. This framework has been divided into functions, each of which is further split up into various categories. These are comprised of:

1. Identify. This function demands that the organisation identify and quantify all key aspects of their business, including data, systems, personnel, environment, policies and procedures, as well as recognising the risks posed by cyber attackers and developing a strategy to deal with them.
2. Protect. This function encourages the introduction of protocols and safeguards designed to minimise exposure to cyber threats. Specifically, it deals with access control, employee awareness and training, data security and the ongoing maintenance and updating of such protective measures.
3. Detect. This function requires companies to implement a continuous security monitoring infrastructure, capable of detecting anomalous activity which may compromise security. It also encourages constant testing and maintenance of these detection measures.
4. Respond. This function dictates that once a threat has been detected, the company has an effective strategy in place to deal with the incident and minimise its impact. It also calls for the appropriate authorities or external parties to be alerted and for the company in question to learn from the security breach in order to better defend against attacks in the future.
5. Recover. This function urges companies to put in place the requisite plans and infrastructure necessary to restore any functionality compromised by the event and return to business as usual. It also asks for companies to communicate with other parties and share information in order to better equip its systems for future incidents.

UK equivalents

The CSF is generally recognised as the gold standard of best practice when it comes to cybersecurity and has been translated into many languages, with several countries such as Italy, Israel and Japan incorporating it directly into their own national legislation. While the UK has stopped short of doing the same, it has introduced several corresponding pieces of law which mirror the CSF’s aims and methods. These include:

• Minimum Cyber Security Standard (MCSS). This standard was published in June 2018 and is the closest approximation of the CSF in British law. It directly lifts the five functions listed above and while some of the categories and the wording within each has been rejigged, it’s by and large very faithful to the CSF source material.
• Health and safety executive (HSE) operational guidance on Industrial Automation and Control Systems (IACS). This guidance was published in March 2017 and is aimed at increasing safety and minimising health risks in the industrial sector. It wishes to prevent accidents and disasters in the workplace as a result of a cybersecurity breach.
• Networks and Information Systems (NIS) Directive. This directive was originally published by the EU in July 2016 with the aim of standardising cybersecurity legislation across all of its 28 member states. Each state was responsible for introducing its own interpretation into their respective laws by May 2018.

Like the CSF, all three of these pieces of legislation have been left deliberately vague, since attempting to define a one-size-fits-all approach to cybersecurity across different industries, platforms and situations is all but impossible. Instead, companies are encouraged to interpret the legislation independently and tailor their own security processes to ensure they comply.

Are you effected?

Not everyone will be effected by all of these rules and regulations. The MCSS applies only to UK government departments. The HSE operational guidance on IACS targets energy and electricity providers and distributors and any enterprise involved in the manufacture, use or storage of hazardous and explosive chemicals and microbiological substances. The NIS Directive is aimed specifically at critical infrastructure, including Operators of Essential Services (OESs) and Digital Service Providers (DSPs). The former includes businesses involved in the industries of oil, gas, energy, transportation, banking, water, food and telecommunications, while the latter includes companies providing an online service or platform, such as cloud computing or search facilities.

As a result, there are many companies in the UK – including the majority of start-ups and SMEs – which do not fall under the jurisdiction of any of these legislative measures. However, that does not mean that they are not indirectly relevant to anyone operating in a modern business world that is increasingly fraught with the risk of cybercrime. Indeed, all three documents move in similar spheres and cover much of the same ground, providing blueprints to help any business serious about safeguarding its assets, beefing up its online defences and planning for a sustainable, successful future achieve their goals. Even if your company is not legally required to comply with the sentiments expressed in the various documents, doing so regardless makes prudent sense.

Getting the right help

Of course, when profit margins and projected figures are often the be-all and end-all of a company working in a highly competitive market, there often simply isn’t the budget to spend on unglamorous expenses like cybersecurity. However, that doesn’t mean that your online defences should go neglected; far from it. Businesses operating with little financial wiggle room can ill-afford to fall afoul of cyber scammers intent on bleeding those coffers dry. A robust cybersecurity system should never be seen as a luxury, but rather an unsung hero vital to sustainable success.

Fortunately, we at Quorum Cyber have developed a set of high-performance cybersecurity packages aimed at delivering that perfect compromise between security and financial stability. As a team of dedicated and highly experienced professionals versed in all aspects of cybercrime – and how to counteract it – our Big Red Button services are designed to help your company stay on the right side of cybersecurity best practices in whichever guise they take, whether that be NIST, MCSS, HSE or NIS. Forget the acronyms and the aggro and leave all the hard work to us and we’ll ensure your business’s online defences are up to scratch. For more information about how we can help, get in touch with us today.