Last month, the government outlined its £1.9 billion plan for protecting the UK against mounting cyber threats.
By Whitehall’s own admission, however, the success of its five-year National Cyber Security Strategy (NCSS), which also aims to cement Britain’s position as a global leader in online security, will rely heavily on the backing of boardrooms across the country.
With well-resourced criminals continuously advancing the sophistication of their approach, greater effort is needed by business leaders to raise the importance and benefits of strong cyber security as well as afford the level of innovation required to keep up with malicious threat actors.
Lessons to be learned
The 2011 National Cyber Security Strategy, underpinned by the government’s £860 million National Cyber Security Programme, introduced substantial improvements to UK cyber security but did not deliver the level of reform needed to keep pace with fast-moving threats.
>See also: The UK’s new National Cyber Security Centre
The acceleration of technology means that the threat landscape is constantly evolving.
The increased mobilisation of the workforce combined with growth of cloud computing and IoT devices are examples of current trends that will continue to widen the attack surface over the next few years and create new security challenges.
In its commitment to implementing active cyber defence on a large scale, the government’s latest plans are ambitious yet highly commendable.
For the NCSS to be successful, considerable backing from the private sector is needed to ensure that new standards and technologies are widely adopted.
Too often products and initiatives with the potential to drive improvement fail through a lack of support and early adopters.
The stakes have never been higher
Unfortunately, many businesses are still too complacent when it comes to tackling cyber threats.
Company bosses that fail to prioritise cyber security only need look at recent damaging attacks affecting organisations including Tesco Bank, Yahoo and Three mobile, to realise that the threat is very real. Attacks can happen to anyone.
The aggressive yet covert nature of today’s attackers means that threats can proliferate very quickly and, in many instances, breach an organisation without them even knowing it.
Vital systems can be taken offline, valuable company data compromised and intellectual property stolen.
The financial damage inflicted by the latest cyber breaches are well documented but perhaps less so are some of the intangible costs that can mask the true extent of an attack.
A report by Deloitte highlights less visible costs such as higher insurance premiums, devaluation of trade name and loss of customer confidence as being responsible for a nine-fold increase in the overall cost of a cyber-attack
Building customer trust takes time but with a cyber-attack this can quickly be eroded overnight.
Telecoms provider, TalkTalk, is reported to have incurred costs of £60m and lost over 100,000 customers after being targeted by a hacker in March 2016.
The consequences of suffering a cyber breach are set to be even more costly for businesses too, with the introduction of the General Data Protection Regulation (GDPR) in 2018.
To illustrate this, Tesco, the supermarket chain, would be facing a fine of up to £1.9 billion for the cyber attack on its banking arm that led to 20,000 customer accounts being compromised.
Should a cyber breach happen, organisations need to realise that they are liable for the consequences and prepare a risk management strategy that not only helps to protect business interests but also those of affected employees, customers, businesses partners and investors.
A proactive approach to defence
For all businesses, adopting a more responsible approach to cyber security is surprisingly affordable and can cost far less than attempting to mitigate a breach post event.
By undertaking certification as part of the government’s Cyber Essentials initiative and readily sharing threat information, businesses can quickly address the key controls needed to significantly reduce their security risk.
To achieve the level of protection needed to combat evolving attacks, all businesses will need to transition towards achieving a more proactive approach to defence.
Penetration testing as well as managed detection and response services can help boost security posture by uncovering vulnerabilities, hunting for threats and providing clear remediation advice.
Use of specialist tools and services also extends to more thorough testing of products and services to reduce the number of distributed denial of service (DDoS) and other attacks targeting zero-day exploits and insecure device configurations.
Product security testing is likely to become a key area of government focus with plans announced to explore the idea of a security rating system to provide clear information about which products and services offer the greatest protection.
Addressing the skills gap
Effective cyber security isn’t just about eliminating technological vulnerabilities.
A lack of general awareness of best practice amongst workers continues to be one of the biggest reasons for successful attacks within the workplace.
By innocuously clicking a link in a phishing email, plugging an infected USB stick into a computer, or by downloading unsafe content from the internet, employees can quickly compromise an organisation’s security.
With just under a fifth of companies in the last year reported to have required staff to undertake cyber security training, businesses need to do more to elevate cyber security to a key operational issue. One of importance to the whole workforce, not just the IT department.
The government’s pledge to improve security education from a young age will definitely help to raise the importance of good cyber hygiene.
Plans to address the shortage of cyber security skills in the UK by investing in school and university programmes will undoubtedly require action over the next twenty years, not just the next five.
Training the next generation of security professionals will also require the backing of the private sector to provide talent with the opportunities to develop specialist skills and experience.
Maintaining Britain as a leader in cyber security
The government’s new NCSS strategy will certainly help to drive the embedded and sustainable approach needed to improve cyber security across the UK and improve confidence in British business at a time when there are question marks around the impact of Brexit.
Wider support from the private sector will be needed however, not only to collectively tighten defences but invest in the people, technology and programs needed to stay ahead of rapidly evolving threats
The tightening of cyber controls shouldn’t be seen as a chore but a necessity. Businesses committed to improving their cyber credentials will not only minimise the risk of suffering a cyber attack but demonstrate a key competitive advantage.
Should company bosses fail to take the initiative and build upon the foundations being laid over the next five years, cyber threats will outpace business’ ability to protect against them.
Sourced by Gubi Singh, COO at Redscan