Secure by Design, and what it means for SMEs
Everyday there are approximately 6.7 million attempts to get into the MOD’s network. In 2022 it was reported that 81% of large organisations in the UK had suffered a cyber security breach. The cyber landscape is constantly changing and presenting new threats. An incident can be costly, causing both financial and reputational harm. For MOD, cyber threats are also a huge risk to national security and taken extremely seriously.
What is Secure by Design? Why should SME’s get involved? How will CSM fit?
Last year MOD set out the Cyber Resilient Strategy for Defence. This is designed to ensure capabilities and programmes are inherently protected against cyber-attacks from the outset and throughout their lifecycle with pre-planned recovery measures in place. Cyber-attacks on the MOD’s Suppliers can be just as damaging as an attack on its own networks. Therefore, it is imperative that Suppliers to MOD are also cyber resilient.
The Defence Cyber Protection Partnership (DCPP) is a collaboration across government and industry, strengthening security across the supply chain. In 2017, the MOD introduced their Cyber Security Model (CSM). This is a risk-based proportionate approach to protecting MOD Identifiable Information (MODII). Defence Condition (DEFCON) 658, can be flowed down the entire supply chain, requiring suppliers to adopt the controls in Defence Standard 05-138.
In July 2023, Secure by Design (SbD) was added to this requirement and is a key component of how cyber security is managed within the MOD. This requires the MOD’s project teams to consider security requirements for the products, systems and services being procured from the very beginning and all the way through life. SbD improves security and greatly enhances the visibility of any risk areas. It supports the delivery of more secure systems through simplified processes, greater use of open standards, better guidance, more flexibility, and empowered decision making.
A revised CSM goes live in 2024 and brings modern cyber security rigour to the procurement process. The change shifts from protecting MODII to seeking Supplier security and resilience in their corporate environment.
The old Cyber Risk Profiles are being replaced, with the lowest being Level 0, including both technical and non-technical controls:
- Cyber Essentials certification
- Managing security risk
- Protecting against cyber-attack
- Resilient security defences
- Minimising the impact of incidents
To go into more detail of how SMEs can make simple changes to their cyber security to not only meet MOD requirements, but also to secure their everyday business, join our webinar with MOD Cyber and Team Leidos in January.
*If I have provided a non-business domain email address (such as, but not limited to, gmail, hotmail, etc) I am doing so in the context of it being used for my business and not personal interactions with Clarion.