Out-Law News 1 min. read
12 Jan 2015, 5:19 pm
In new guidance it is still developing, the government said businesses must get "comfortable" with such uncertainty and accept that they might sometimes make the wrong decisions on cyber security issues.
"In striving for security we constantly have to deal with uncertainty, yet there is often a desire for absolutes; risks are not always predictable and cannot be eradicated," the UK government said. "Any approach to risk management needs to accept that there will be uncertainty, so that people know they can ask for help, admit mistakes, and seek advice from trusted sources."
"You will have to make the best decision based on the information available to you at the time. In hindsight, some decisions may be wrong; information and expertise help to reduce uncertainty, but rarely to zero. Become comfortable with uncertainty; cyber security incidents and mistakes will happen, so plan for this. Don’t seek blame - learn from them; independent advice from trusted sources can help build confidence," it said.
The new guidance on risk management of cyber security in technology projects recommends that businesses ensure that "security-focussed staff" help to deliver those projects and that security risks are communicated "in plain English" across an organisation so that any risks an organisation decides to take on are understood.
Businesses were also called on to ensure security is part of technology decision making, and to use systems that do not encourage "workarounds".
"Unusable systems encourage users to find workarounds, resulting in systems that are unproductive and insecure," the government said. "Well-designed systems are both enjoyable to use, and more secure as a result... Good solutions support user needs whilst maintaining sufficient security; make the right choice the easy choice for the user."
The UK guidance was issued as a senior US Department of Defence official called for new "cyber standards" to be developed to address security threats. Army General Martin E. Dempsey was commenting following the recent hacking attack on Sony Pictures, which the US has blamed on North Korea.
Dempsey said the standards should be set out in new US legislation along with provisions that would require the US government and businesses to "share information about attacks, whether it's the signatures of attacks or the actual occurrence of attacks". He said the US does not hold an advantage over other countries in relation to its cyber capabilities and that this makes him "very uncomfortable".