The government recently published its long awaited Digital Strategy earlier this month. It was originally delayed by almost a year thanks to the shock of Brexit and has now been positioned as a post-Brexit strategy for the UK. Amongst other areas, such as data and digital infrastructure, it’s clear that the state of the nation’s cyber security and, importantly, its future is a critical concern.
There’s certainly much food for thought when it comes to the cyber state of the nation. This post-Brexit digital strategy includes new commitments from private businesses, such as Lloyds Bank’s pledge to give face-to-face digital skills training to 2.5 million individuals, charities and small- and medium-sized businesses by 2020. Similarly, Barclays has offered to teach basic coding to 45,000 more children and assist up to one million people with general digital skills and cyber awareness.
Since the Digital Strategy was revealed, Philip Hammond’s first Budget also recognised the UK's global digital reputation, with £270m of funding earmarked for innovation and skills proving great news for the technology industry. It’s no secret that the UK is currently suffering from a serious lack of digital skills, especially where cyber security is concerned, so hopefully these recent government initiatives will help further plug that gap. Principally, Britain's economy relies on digital infrastructure, which is a clear strength and, thanks to leading and alternative broadband providers, cities all across the UK are now benefitting from a fit-for-purpose digital infrastructure, which eases the pressure on transport networks due to more work being done online. However, unless we’re careful this very strength is also a weakness when we’re unable to protect ourselves from the various online threats we’re currently facing.
Teaching practical everyday advice
While the aim to make the UK the safest place in the world to be online is no doubt a commendable one, the worry is that there is still not enough tangible education on cyber security matters – particularly if, as suggested in the Digital Strategy, only one million people are offered the opportunity of such education. Major companies – from Talk Talk, British Gas, and M&S – have been hit by breaches in their security systems, with customers and staff files being exposed. What’s more, one of the principal causes of data breaches is lost or stolen credentials and unless more people are educated on cyber hygiene, the situation will never be reversed.
Many people of all ages still lack basic cyber security hygiene skills, and, rather than reserving cyber awareness for a select few, more must be done to remind individuals and businesses alike that, through cyber ignorance, their desk neighbour could pose as much of a threat as a clandestine hooded hacker. Indeed, for many businesses, the biggest security threat comes from their own staff, either through ineptitude or – perhaps most worryingly – vengeance, as was seen, for example, when in 2014 a former Morrison’s employee, disgruntled at losing their job, leaked the company’s entire payroll database to journalists. As a result, the organisation estimated the investigation and remediation of the incident cost it £2m.
As such, it’s paramount that government plans go beyond warning against out-of-date software and instead teach practical everyday advice, such as opting for multi-factor authentication over simple passwords to prove users are absolutely who they say they are. As attack vectors expand, thanks to technologies such as the cloud and BYOD policies, the importance of a comprehensive cyber security education – for businesses and Government alike – cannot be understated.
Beyond robust password managers, multi-factor authentication (MFA) is vital to truly ensure someone is exactly who they say they are. It works by using a number of factors – such as location, IP address, device and so on – to accurately determine a user’s identity. It ensures that, should one of the criteria raise concerns, more checks can be used to determine if access should be granted. Not only does this mean sensitive business data is protected from falling into the wrong hands, but it also doesn’t automatically lock someone out if one element does not match their usual behaviour – if they are abroad, for example.
Re-thinking the approach
But authenticating a user is far from the only challenge. As organisations have moved more data to the cloud and, in some instances when employees have access to applications, such as Dropbox, without the necessary approval from the IT team, it’s becoming more difficult to know what data is where and who is able to access it. This weakens a business’ security position further and it’s imperative now that tools are in place to provide greater visibility and to allow employees access, while at the same time controlling the outcomes of what happens to that data.
But all of this requires education. It requires every person in the country regardless of their age, where (or if) they are employed or their roles, knowing what is good cyber hygiene and what isn’t. It involves educating people on where to store data, when to avoid clicking on links and where to avoid using public WiFi. It also requires us to think about the future now and encourage our school-aged children to become cyber professionals, as without more talent to fight the bad guys, we’re never going to win. This is where the government should be focussing their funding. Not just on the select few, but on each and every one of us.
And it’s not just governments that have a role to play here: for far too long, the security industry has encouraged businesses to install multiple, complex systems that require intimate and specific knowledge to really be effective. It’s now important to re-think that approach and, instead, offer unified solutions that are user-friendly and provide the visibility that is required. For too long we’ve helped cyber criminals in their aims by installing disparate systems, that don’t talk to each other and create far too many blind-spots.
While the Digital Strategy has been designed to see us through Brexit, perhaps we should also use it as an excuse to re-evaluate our practices and consider how we can really and truly secure the UK’s future.
Ed Macnair, CEO at CensorNet
Image source: Shutterstock/jijomathaidesigners