Press "Enter" to skip to content

What the UK’s cyber experts are saying, and why everyone should care.

Let’s turn our attention across the pond to our friends in the UK.

The government is beginning work on reforming the Computer Misuse Act, the 31 year old law that manages unauthorized access to computer systems.     Now, the UK home secretary has launched a call for information on the Act and is now soliciting feedback for revisions. 

And, the UK government has published a “safety-focused” plan to regulate online content and speech focused on children.    This will move into debate and discussion next.    

The National Cyber Security Center has updated their security guidance, with emphasis on cloud services, remote workers, and ransomware.

The center has also announced the addition of an Early Warning Cyber incident notification service, designed for alerts about cyber attacks on their networks.    Free to use, it’s a filtered source of threat intelligence for organizations.

The center then issued new advice on security patches – just turn them to automatically apply.   Even for enterprises.  

“Patching is now so much easier and so much less risky than it was when we first started doing this stuff. If there’s one thing that anyone out there wants to take away, turn on automatic updates, please – even if you’re an enterprise, turn on automatic updates,” said Dr Ian Levy, technical director of the NCSC, speaking at the cybersecurity agency’s CYBERUK 2021 virtual event.

Why do we care?

There’s a lot here.  My UK based listeners will want to take advantage of those new services, as well as respond to those calls for input.

That last bit of guidance really stuck with me.    Think of the implications – security experts are saying “just auto apply patches”.  If you’re a traditional IT provider who has been controlling this setting… your value just reduced.   Sure, I don’t doubt the value of checking, because trust but verify is a key security principle.

But the pitch of “oh, we test everything” just goes out the window when the advice from security experts is to auto apply.     Is the solution to patch management less about management and more about reporting in the future?  I’m placing my bet there.