By Professor Chris Hankin, Associate Director, Institute for Security Science and Technology
Ciaran Martin, the CEO of the National Cyber Security Centre (NCSC), reports that they have received notification of 188 incidents since the centre was established at the end of 2016. A recent NCSC report suggests that 81% of large companies have experienced a data breach and that the average cost is somewhere between £600K and £1.15M.
The new UK Cyber Security Strategy was published at the beginning of November 2016. It reaffirms the UK Government’s determination to make the UK secure and resilient to cyber threats, so that citizens and businesses can prosper and be confident in the digital world. The strategy is based on three main pillars underpinned by a commitment to work with international partners – the later being essential since cyberspace does not respect national borders. The three pillars are: Defend; Deter; and Develop.
The Strategy analyses the threat landscape. Although the threat actors have remained fairly constant over the last few years, there are new vulnerabilities. Most notable amongst these is the expanding range of devices and, in particular, the emergence of the (industrial) Internet of Things. The actual vulnerabilities identified in the Strategy include poor cyber hygiene, insufficient training and awareness, legacy and un-patched systems, and the growing availability of hacking resources.
The Strategy foresees a transformational programme which will be overseen by a new centre. The NCSC, formally part of GCHQ, was created at the end of last year and its Central London premises were opened by the Queen and Duke of Edinburgh in mid-February 2017. The ambition is to have 100 secondees from Industry working in the NCSC as Government, Industry and Academia work in partnership to address this important topic.
The Defend pillar introduces a more active approach to cyber defence — internet traffic from known rogue IP addresses will be actively blocked. It is also expected that new systems will be secure-by-default: this covers the full life-cycle of systems from design (secure-by-design) to operation (where default settings will be secure). There will also be a review and update of the Cyber Essentials scheme and a new awareness raising campaign, Cyber Aware, which is a development from Cyber Streetwise.
The Deter pillar will focus on reducing crime through enhanced capabilities in the National Cyber Crime Unit and the regions. The UK will also maintain and enhance its sovereign capabilities in cryptography and offensive cyber.
The Develop pillar addresses the projected skills shortage. There are a number of initiatives that are being launched which range from apprenticeships, to competitions and schemes aimed at 14-18 year olds, to certified Bachelors and Masters courses in universities. The pillar also addresses the need to foster innovation through the creation of two new innovation centres, one base in Cheltenham (launched at the end of 2016) and one in London (to be launched later in 2017).
Prior to the launch of the Strategy, Government considered what regulation and incentives might be needed to engender better cyber security awareness and behaviour in companies. The Strategy places considerable emphasis on the new EU General Data Protection Regulation (GDPR) to achieve the desired behaviour changes. The main changes from existing data protection regulation concern breach notification and accountability. The former places greater legal liability on the processors of personal data if they are responsible for a breach. The latter requires that organisations are able to demonstrate how they comply with the principles of data protection. The GDPR also strengthens the rights of individuals, in particular the right to erasure and the right to data portability. The former is the much discussed ‘right to be forgotten’. The GDPR also introduces a tiered approach to financial penalties which, for the most severe infringements amount to fines up to the maximum of 4% of worldwide turnover or €20 million and a lower tier of fines up to the maximum of 2% of worldwide turnover or €10 million.
Whilst the Strategy promises improvement in the future, companies should take note of the current threat and act accordingly. The cost of poor cyber security will only increase under the GDPR regime. Whilst Cyber Essentials and Cyber Aware may only go some of the way to making your secure, they are an excellent start and it is better to be safe (and secure) than sorry.