In February 2017 the Government launched “The National Cyber Security Strategy. ” This strategy sets out what cyber risks will be addressed, by whom, when, and how success will be measured. The strategy sets out a path to keeping the UK civil nuclear sector ahead of rapidly evolving threats to, and vulnerabilities in, software and equipment in the next five years. It sets out clear expectations, and the roles that the industry, Government and Regulators need to play.
“Success will be an increasing capability, capacity and agility of stakeholders to deal with all aspects of the cyber security challenges faced by the UK civil nuclear sector.”
The government’s strategy includes a commitment from the UK civil nuclear duty holders to:
- Establish and sustain robust, effective, agile and assurable cyber security governance arrangements;
- Undertake appropriate risk management processes that pre-emptively reduce the associated risks;
- Increase the sector’s capability and capacity to understand and manage cyber security risks where required;
- Ensure that known cyber security vulnerabilities are mitigated, so far as is reasonably practicable;
- Ensure that they are resilient to, and defend themselves against, evolving cyber threats; and
- Work with their supply chain to support and encourage them to manage and mitigate their cyber vulnerabilities.
For the supply chain, the expectation is that it will:
- Increase its capability and capacity to understand and manage cyber security risks where required;
- Ensure that they have processes in place to notify duty holders of cyber incidents or vulnerabilities;
- Ensure that known cyber security vulnerabilities are mitigated, so far as is reasonably practicable; and
- Undertake appropriate risk management processes that pre-emptively reduce the associated risks.
What is the training need for individuals?
Given the above context, and the fact that 50% of the worst security breaches are caused by human error, it is recommended that all employees are educated in the essentials of cyber security.
Businesses need to consider both initial and refresher training to ensure that all staff understand the risks, and actively seek to protect themselves, both professionally and personally, from cyber and other security-related threats. This should include the latest in good practice in relation to ransomware, phishing, passwords, social engineering, malware, USB sticks, plus security at home and on the move, as well as in the workplace. This is covered in Part A of the NSAN course.
What is the training need for organisations?
Senior Managers and leaders will benefit from high level awareness of cyber security and the requirement for an effective information security management strategy and system. Organisations need to identify the relevant legal and regulatory requirements, such as those emanating from the Office for Nuclear Regulation, and understand what good looks like in terms of governance and compliance.