According to IET cyber security lead Hugh Boyes, the new publication intended to define minimum cyber hygiene for UK businesses has caused confusion that the government needs to clear up.
Previously, Whitehall has endorsed two other sets of cyber safety guidelines, as well as its own “10 Steps to Cyber Security,” which was publish in September 2012.
“Having three separate sets of guidelines on cyber security endorsing 20, 10 and 5 controls respectively, is very confusing,” claimed Boyes.
“UK businesses are unlikely to understand which are the definitive guidelines and, worse still, there is a real danger they will ignore the advice altogether, simply because there is no clear message about which guidelines are most applicable to them,” he continued.
Boyes went on to explain his view that for the newly published guidelines to have any impact or conviction, the government needs to issue clear guidance about when each set of suggestions should be used.
“Even better would be if the government led from the front by auditing its own services against these latest guidelines and then declaring the results publicly as a matter of urgency,” he added.
After pointing out that one new guideline advises on patch management, he cited the recent example of this deal, calling it “at best a short-term gap measure.”
“The government should set an example by ensuring that PCs using the XP OS within its IT estate are upgraded or replaced within the 12-month support contract the Cabinet Office has just signed with Microsoft,” he claimed.
“The government has an open source software policy and this is a good opportunity to expand the use of open source operating systems within the public sector IT estate,” Boyes concluded.
The new Cyber Security Implementation Profile covers five basic controls that businesses need to consider including secure configuration, access control, malware protection, patch management and firewalls and Internet gateways.
Universities and science Minister David Willetts has claimed that it is an easy and cost effective way to help businesses protect themselves against the risk of operating online.