What part can you play in a £1.9bn government cybersecurity strategy? The Chancellor recently announced that the UK is to become ‘the most secure cyber environment anywhere’, a place where ‘government, business, security agencies and academia work together to defeat the hackers and the phishers, the criminals and the rogue states’.
To achieve this, the Chancellor has committed £1.9bn to a new cyber defence strategy, one which will: a) defend the public from malicious activity, b) deter those who aim to steal and cause cyber-harm, and c) develop the capabilities and skilled individuals that the economy needs to keep pace with cyber threats in the future.
This £1.9bn undertaking should come as no surprise to the cyber community or citizens alike. In the last few months, we have seen high impact DDoS attacks, Russian attempts to influence the foreign political landscape and ransomware attacks on healthcare organisations. All of these events have put sensitive information and systems at risk. The UK 2016 Cyber Security Breaches Survey reported that nearly a quarter of UK based firms suffer one or more security breaches every year.Similarly, the Office for National Statistics reports that UK citizens aged 16+ have been subjected to 1.8 million cyber related incident of fraud.
It is clear that the frequency and scale of cyber threat has increased, both for the day-to-day consumer and businesses of all size. But, a safer cyber environment is not a burden that should rest solely on the government’s shoulders. Both businesses and individuals play a key role in securing the very environment in which they work and operate. The responsibility to defend, deter and develop rests on all our shoulders.
Defend: Where do security threats come from?
To be able to defend sensitive information, individuals, businesses and government alike must seek to continuously understand the different types of cyber threats they are likely to encounter. Only then, will they be able to identify what role they can play in making their online activity more secure. Adversaries have varied motivations - we could consider classifying threats into one of four or five categories.
There are bad guys who want to steal money, to steal ideas, to steal data, disrupt temporarily or sabotage permanently. Opportunistic criminals will use large-scale attacks to snare as many victims as possible, but those who want to gain something specific from an individual may be more refined. Criminals only need a little bit of time, a little user error and some cunning to navigate IT systems and hide from detection.
But cyber-attacks are not all equal meaning that there is no single tactic which will successfully protect against the modern cybercriminal. Some threats are persistent, underhanded and will keep trying until they get what they want, as they learn and develop new ways to evade defensive controls. Identifying the different types of threat and grasping the tenacity that some modern cyber threats have is merely the beginning. Going further, it should motivate businesses to invest in the right people, processes and technology. Defence begins there.
Deter: How can businesses contribute to the national cybersecurity strategy?
The Chancellor argued that the best form of deterrence is to ‘detect, trace and retaliate’. However, for businesses, the best form of deterrence is to detect a security breach and trace information that will assist in understanding the threat. Once detected and traced, any further steps should be left to authorities such as the National Crime Agency or the Information Commissioner’s Office. Security risks can present themselves in many forms including a data breach through the network, data leakage by employees, or lost laptops or mobile devices.
A 2016 Cyber Security Breaches Survey concluded that only 50 per cent of all firms have taken suggested actions to identify and address security weaknesses. Moreover, only 1/3 of all firms had official cybersecurity policies on paper and only 10 per cent had a crisis management plan in place. A consequence of this is cybercriminals appear to be increasingly turning to SMBs due to them lacking the security measures and right in-house expertise to protect themselves.
SMBs should be encouraged that an effective information security strategy does not need to be costly, and can be put in into action through two tried and tested principles:
- The first step is for businesses is to identify what data the company, has, classify it, and for the most sensitive data is, locate where it is stored and control (hopefully minimise) the number of people who have access to it.
- The second step is to consider the detective and preventative controls in place, identify gaps and plan to close or mitigate those gaps. Can be tough to improve with competing priorities on time, many enterprises hire professionals to prevent, detect and/or trace any security incidents.
By following these steps, all businesses can gain the benefit of a military-grade approach without incurring massive costs.
Develop: ‘Cyber-threat conscious’ consumers turned ‘skilled cybersecurity professionals’
The key to defending data and deterring criminals is the cybersecurity talent of today and the future. Not only do we need to encourage professionals to understand and respond to the behaviours of hackers, we also need to focus on the future industry talent. While defend and develop can be both short-term and long-term strategies, developing the future cybersecurity professionals focuses on future long term planning.
A significant percentage of today’s young consumers can become future cybersecurity professionals, so we must ascertain ways to gain their interest regarding the importance of cybersecurity, attract them to a career in the field and then continue to cultivate and develop their skills.
According to a 2015 ONS research, nearly all UK households (around 97 per cent) with children had an internet connection. In addition, children spend more than double the time on the Internet than they did in 2005, with the hours spent per week increasing each year. For this reason, programmes stirring interest in a cybersecurity career amongst children should be encouraged, as these young, internet- savvy consumers will form the graduate pool from which the government and businesses will hire their talent in the future.
Children’s critical understanding of the cyber sphere has traditionally been focused on understanding the benefits of the internet and avoiding the risks. However, the number of 8-11s who say that they would not tell anyone if they saw dangerous content has gone up since 2014. Letting both young and old individuals know that they play an active role in the security of the overall cyber environment should be encouraged. Knowing the many types of threats they are exposed to and encouraging an active involvement in the online security of their peers and community can lead to interest in the cybersecurity profession in later stages of their education.
The cybersecurity skills gap has been increasing and the need for experts will only grow in the coming years. The security industry is already drumming up interest with the likes of the Cyber Academy and GCHQ-sponsored hacking challenges, but it is not too late to appeal to students at university. By hosting open information days, cyberstalks and other events, both the government and security firms can help capture interest and encourage graduates to apply for their schemes.
However, the security industry needs to do more than just attract technically-talented individuals. All businesses should nurture their talent and invest in their development because the security staff must learn and adapt in the same ways the hackers do. Why is developing existing and new talent of such great importance? Stagnation in staff development can result in a stale security strategy and data at risk. In a dynamic and dangerous environment such as today’s cyber sphere, businesses cannot afford this.
Yet, the true rising stars of the cybersecurity sector offer more than technical talent. Communication skills have an increased importance due to transparency being a key principle of a trustworthy business and government. Many officials don’t want to know the technical details of a malware, but want to understand the impact on their business and governance. Therefore, those who can communicate concerns in business-friendly language are those with the most promising futures in the cyber security industry.
In the past two decades, education establishments have begun progressively nurturing excellent communication skills in students. Considering that the true rising stars of the cybersecurity sector will be required to justify their decisions and investments to senior management, these students are the most promising cybersecurity talent that UK has. Their development is crucial in developing a safer cyber platform.
All for one and one for all?
While “All for one and one for all” is best known as the motto of the characters in the ‘The Three Musketeers’, it means that all the members of a group support each other, and each individual members pledges to support the group. This holds true regarding the future of our cyber sphere. Accepting this motto will allow individuals to “see themselves” and find the part they play in the cyber battle.
Businesses should make sure they are following government and security industry guidelines, have up to date security infrastructure and invest in new talent. Individuals should remain vigilant and aware of online risks – they play an active role in their own online security. Furthermore, government, businesses and the security sector in general must invest in the development of current and future talent. And, a £1.9bn worth cybersecurity strategy which includes talent development schemes is a pretty good start. All for one and one for all indeed.
Don Smith, lead of Counter Terrorist Unit, Cyber Intelligence Cell, SecureWorks
Image source: Shutterstock/igor.stevanovic