Swiss Army Penknife
As usual the last week of August has been relatively quiet security-wise, what with the foot soldiers taking advantage of the capo dei capi, spending a little bit of ‘me time’ (not to be confused with ‘time’) on a sleek super yacht, hidden volcano island (mwahahaha) or lair as yet undiscovered.
Of course there is the usual data breach news. T-Mobile lost the details of 2 Meeelion American subscribers, a mere drop in the ocean compared with Equifax, Yahoo etc. (the list goes on), but significantly larger than Dido Harding’s TalkTalk.
Would you agree that there are so many of these telephone number breaches that we are becoming immune to them? A very unhealthy intersection of breach boredom and patch fatigue is the very last thing we need.
There is also the usual zero day ‘should we announce it, shouldn’t we?’ malarkey, with security researcher ‘SandboxEscaper’ publishing a Zero Day vulnerability, which works against patched (yes patched) Windows 10 machines complete with proof of concept code. This remains unpatched and is in the wild, no biggy.
Moving on then to the useful and exciting stuff. Subscribers to our LinkedIn, Facebook and Twitter feeds will have seen our posts about the UK Government’s Cyber Security Guide for small businesses. This is very good advice and precipitated a conversation between some of our gnarliest old hacks about measurable standards. The NIST 2011 (really that long ago) 800-144 guidelines were discussed, amongst many others. What an afternoon that was.
It transpires that this week, the Swiss Federal Office for National Economic Supply has released a Minimum ICT Standard for businesses.
In our opinion this is amongst the most pragmatic and sensible set of recommendations, ever (Cue Jeremy Clarkson voice). It also comes complete with really quite straightforward assessment tooling. Here is how they bill it:
Each individual business and organisation has a fundamental responsibility to protect itself. However, wherever the functioning of critical infrastructures is affected, the state also has a responsibility, based on its remit as laid down in the Federal Constitution, and on the National Economic Supply Act. This Minimum ICT Standard is an expression of the responsibility of the state to protect its citizens, its economy, and its institutions and public administration.
It is recommended that operators of critical infrastructures implement this Minimum ICT Standard. This document nonetheless provides any interested business or organisation with a decision-making guide and specific instructions for improving its own ICT resilience.
It makes quite a lot of sense to us.
Coming from the nation that brought you amazing chocolate, second hand Gold storage repositories, yodeling, vocal nuns wandering the mountains with children, terrorising locals with their close harmony singing and trains that run on time, most of the time, we highly recommend that you have a look at it. We are.
There is very little point just leaping on a set of standards that you cannot measure or enforce, which is why some of the leading contenders (ISO etc.) are out of reach for all but the behemoths of industry.
Our recommendation has always been to start with the basics. Assess where you are, decide where you want to be and use frameworks and standards to measure yourselves and improve, pragmatically and affordably.
As luck would have it, our fantastic team of consultants who have already forgotten about their summer holidays are on hand to help you through this process. Contact us at: [email protected] or call 020 7517 3900. You never know, there might be some Swiss Chocolate available.
Follow our social media feeds to see when we will be doing our Sound Of Music themed Swiss Minimum ICT Standards gig, a drop of golden sun indeed.
Didn’t that summer go quickly? Welcome back to the real world. With thanks to the gnarliest.