Security progress can’t continue without a commitment from government and business

Despite major hacks at leading brands such as Three Mobile and Tesco Bank, 2016 was a year of considerable progress for cybersecurity in the UK.   

The government demonstrated it is taking the cyber threat seriously, opening the National Cyber Security Centre and launching a new national strategy. And in the private sector, there were encouraging signs that business leaders understand the scale of problem they face. 

For progress to continue in 2017, both government and business must address two crucial steps: 

-The government must make a concrete guarantee that cybersecurity will not fall by the wayside during the Brexit process;  

- UK business must recognise that cybersecurity is a fundamental risk to their survival and upgrade it to a Tier One threat;  

Maintaining standards after Brexit 

Over the last year, we have seen the continued advancement of three pieces of EU legislation: the Network and Information Security Directive; the Payment Services Directive 2; and the General Data Protection Regulation. These go beyond current rules and practice of informing the Information Commissioner of a breach to impose a variety of extended reporting requirements across Britain’s business community. Improving transparency in this area will benefit everybody, and these legal instruments represent significant progress in the UK. 

But the vote to leave the European Union has thrown a shadow of uncertainty around the continuation of EU-derived legislation. This includes laws that provide a clear and obvious benefit. The government needs to issue a guarantee that the referendum negotiations will not have the UK going backwards on cyber security. 

The provisions of these three laws must be implemented between January 2018 and May 2018, long before the Prime Minister’s projected timeline for leaving the bloc. The government’s ability to implement these principles -- and its commitment to ensuring cybersecurity remains a top defence and business priority -- is not in doubt. The concern however, is that the fiendishly complicated transposition of existing EU legislation into UK law may leave some protections falling along the wayside. The risk of cyber defence falling off the agenda may be lower than other areas of policy, but its growing significance in our lives means that no doubt can be allowed to fester. 

We need a clear guarantee that these legislative principles will be maintained after Brexit. This guarantee can take the form of a ‘Great Repeal Bill’ or some other legislative tool Consumers need certainty that business will report any compromise of their personal data. Business needs to know that any serious failing will be made public. The government needs to continue its leadership and ensure that nobody shirks their responsibilities after Brexit. 

A Tier One Threat 

Last year, the Government upgraded its classification of the country’s cyber threat level to Tier One, the same threat bracket triggered by terrorism and international military conflict. The upgrade acknowledges what many of us in the sector have long understood: UK commerce is at grave risk of cyberattacks. More important than the label is the strategy and investment that comes with a Tier One classification: more than £1.9 billion of government funds over the next five years, two new cyber innovation centres, and further development of the UK’s offensive capabilities. 

Business, though, can no longer rely solely on Government. It’s time for companies to step up and recognize cyber attacks as a Tier One threat. 

For this to happen, boards need to address the accountability gap at the top of their organizations, raise awareness internally of the issues they face, and adequately prioritize and invest in their companies’ cybersecurity both from a people and financial perspective. When two out of five NEDs, C-level and CIO/CISOs say that they don’t feel responsible for the repercussions of a cyberattack, only 29% have a formal cybersecurity policy, and more than one in five don’t think it’s an issue for their business, it’s clear that cybersecurity isn’t receiving the attention it deserves in the private sector. 

An essential first step to addressing this is to follow the government’s approach and require large businesses to have a named person at the board level with cybersecurity responsibility. The Chancellor established a Cyber Committee, bringing together Ministers from a whole host of Departments to tackle the issue. The equivalent move in the private sector would elevate cybersecurity to the same level as, say, the company’s fiscal health or product direction. 

With a leader in place, business should then again take a page from the government playbook and implement their own cyber strategies. The most successful companies have strategies for everything: growth, recruitment, communications, and continuity risk. These are each tailored to their respective strengths and weaknesses because, as we all know, every business is different. A cyber strategy needs to be well thought out and tailored to a company’s specific vulnerabilities and risk profile. 

The Government has said it is ready and willing to work with the private sector to tackle this growing risk. They have committed funding, established a National Cyber Security Centre and released a comprehensive strategy. We now need businesses to follow suit. 

Conclusions 

We will no doubt see more high-profile hacks in 2017. The threat is continually evolving, and as technology advances, the potential attack surface grows. While we saw parts of the UK moving in the right direction in 2016, several key areas remain unaddressed. 

The government must not waiver on its commitment to cyber security during the all-consuming Brexit process and guarantees that companies will need to remain transparent about breaches. The UK business community must follow the government’s example and recognises cyber as a top tier threat, despite the distractions of other market and political pressures.   

We must never be satisfied with our achievements. If 2017 is to be as a successful year for cyber, laurels cannot be rested upon. Business and government must make a commitment to continued progress. 

Scott Rubin, Head of Policy at Tanium 

Image Credit: ESB Professional / Shutterstock