Industry reactions: UK government cyber security strategy
Yesterday, the UK government announced a new £1.9bn cyber security strategy, which includes an increase in automated defences to combat malware and spam emails, investment to recruit 50 specialists to work on cybercrime at the NCA, the creation of a Cyber Security Research Institute, and an “innovation fund” for cyber security start-ups.
Here are some of the industry comments Help Net Security received.
Jason Hart, CTO Data Protection at Gemalto
It’s encouraging to see that the government is making cybersecurity a priority in its latest round of investment, especially with less than two years until GDPR comes into effect. The focus needs to be on securing our most valuable asset: data, instead of just on the perimeter, which hackers can and will breach if they want to. In order for the government’s strategy to be successful, they need to encourage businesses to understand where their most valuable data is, and bring security controls closer to the data in order to ensure user and device access controls are in place.
The threats we face are not just about data being stolen anymore either, businesses have increasingly become victims of data manipulation, the next frontier of cybercrime. Through data being changed, businesses can make vital decisions based on incorrect or exaggerated information, which hackers can exploit for financial gain, or purely for reputational damage – implementing protocols where the data resides helps protect against that.
John Smith, Principal Solution Architect at Veracode
Following the launch of the National Cyber Security Centre last month, the British government is clearly making a concerted effort to secure the country against the ever-evolving threat landscape. From organised criminal groups and script kiddies, to hacktivists and foreign states, the threat of data breaches is real and the effects can be severe. The data, digital identities and even lives of citizens can be impacted and, in some cases, put at risk. Both the UK government and UK businesses suffer when valuable secrets are stolen and given to outside interests.
However, it is essential that beyond investing in the agencies which deal directly with active cyber defences, the government must take a more holistic approach to cybersecurity. Greater education around security threats is needed to reduce the nation’s cyber risk. Only consider that the government’s Cyber Streetwise campaign which recently found that two thirds of SMBs don’t consider their business to be vulnerable – despite evidence proving that cyber-attacks are on the rise. When combined with the recent NAO report attacking the government’s “dysfunctional” approach to data security, it is clear that much more can – and needs to – be done.
Rob Norris, Director Enterprise & Cyber Security EMEIA at Fujitsu
This £1.9bn committed by the UK Government in the fight against cyber-crime and to educate and train cyber security experts of the future, is welcome. As attackers continue to take the easiest route possible to breach a network, it has never been more important for organisations to be vigilant when it comes to cyber security.
However, while this announcement is encouraging, organisations must also take responsibility and take the fight to cyber criminals before they can act. This should be done through real-time threat reporting, a clear and well-rehearsed incident management plan and addressing internal and external communication, in addition to containment and recovery activities.
With the new EU GDPR legislation coming into effect in 2018, it’s now time for organisations to stop being hunted and instead become the hunter when it comes to cyber security. Ensuring a compliant business environment, that will help protect the company and its employees, needs to be the number one priority.
Azeem Aleem, Director of Advanced Cyber Defence Practice EMEA for RSA Security
The UK latest cyber security strategy highlights the government’s continuous determination in the fight back against cyber crime. However, is 1.9b over five years sufficient to address the core problem? Our industry has built itself on illusions (one fix work all) – the government needs to develop filters to chalk out the white noise and follow patterns of attacks that are specific to business industry/domains. This would require more than £1.9bn to do it.
The strategy can only be successful if we are able to develop a holistic partnership among industry, academia and government bodies.
The industry is facing a drought in terms of core expert skills in this sector. Graduates are coming out of Universities with a clear lack of alignment with the industry, which is hindering the effort in fight towards cyber crime.
Andy Powell, VP, Head of Cybersecurity at Capgemini UK
Any investment to strengthen the national infrastructure against the proliferation of cyberattacks is strongly welcomed. Bringing universities and think tanks together is a very good thing too, but we must avoid over-focus on tools and technology and do much more to develop our people and processes.
Increasingly it has become more about how we apply the technology, rather than the tools themselves. So, in order for a strategy like this to be effective, it needs to be enacted properly and enforced through mechanisms such as legislation – this being the key to creating good behaviours at the board level and prompting much needed investment.
With the UK Government showing its commitment to boosting cybersecurity, it will be interesting to see if it will commit to the EU’s General Data Protection Regulations (GDPR) – which while two years away, needs actions to start now and will apply large fines to organisations failing to protect personnel data properly – despite the decision to leave the EU.
David Navin, Corporate Security Specialist at Smoothwall
The modern day business should know that when it comes to cyber security and the protection and defence of a company’s data, systems and intellectual property, security is of utmost importance. However, as we have seen even recently in the news, it is not always the case, and so the announcement today from the Chancellor of a £1.9bn spend to boost the UK’s cyber security strategy should be well received.
Hopefully this new government spend will resonate with UK boardrooms and show the importance of having a robust security program in place with everyone from the CEO, CFO and CTO, ensuring they are educated to the risks and understand the importance of having strong enterprise grade security measures in place.
Businesses should not rely on one security supplier when trusting them to protect their business. Instead businesses should build its resilience through multiple layers of firewalls, encryption and good security software providers so that if one is compromised, the others are all in place and maintaining that high level of protection.
Thomas Fischer, Threat Researcher and Security Advocate at Digital Guardian
The plans announced by the government demonstrate a good application of investment across the three cornerstones of IT security; people, process and technology. Many of the automated tools discussed in the strategy are widely available to businesses today, but we still come back to the issue of ensuring that the proper processes are in place and people are provided with the right skill sets and training.
Faced with a constantly changing business landscape and changes in staff, it is very difficult for businesses to ensure security processes are well applied and that a strong foundational security culture exists.
Most organisations already accept that it is not if, but when, they were breached. This expectation may well reflect the fact that malicious parties are now more likely to extort the victim, or release the data to forums or even the public. Time and the security skills shortage are the enemies in this situation and they make it hard to ensure the three cornerstones are kept current and relevant.
Nigel Hawthorn, Chief European Spokesperson at Skyhigh Networks
The sophistication of cyber threats is ever-increasing and attackers working with state-support or independently often view the government as low hanging fruit. With its reliance on outdated infrastructure, some systems are vulnerable and it’s citizens and businesses that would bear the brunt of any cyberattack on critical networks.
The new government strategy reveals the renewed focus on keeping the country secure. Yet, the published document also states that the government alone cannot provide for all aspects of the nation’s cyber security, meaning businesses must step up to the plate.
Cyber security has traditionally been relegated from the boardroom to IT, but Hammond’s speech should provide the impetus to make it a company-wide endeavour. Data is now the crown jewels of any firm and CEOs can no longer expect others, whether government or individual departments, to protect them. They are liable for any data that is compromised when in their care and that means they must adopt the technology and processes that ensures its safeguarding. After all, car manufacturers put bumpers on cars and the government puts footpaths on most streets, but a parent still has to teach their children not to run across the road without looking. In cyber security we are all responsible for taking the best care we can of our data assets, which contributes to the nation’s security.
Stephen Love, Security Practice Lead EMEA at Insight UK
It’s certainly admirable that the UK government has committed to spending £1.9bn to fight the rising threat of cybercrime. Given the skills shortage in the cyber security field, the announcement of providing financial support to ensure a continuous talent pool is most welcome. By that token, training and re-training security experts is absolutely crucial to tackle this issue and a requisite for the success of the plan.”
However, without businesses taking proactive measures to fight the risk of data breaches, a national scheme is just one drop in the ocean. Cybercrime is a well-organised, well-run machine and everyone impacted must take responsibility to take pre-emptive measures to protect their data. This begins with a thorough assessment of what portion of one’s data is most valuable and needs closer security attention and should end with the implementation of a sophisticated cyber security strategy.
What is important here is planning ahead, especially in light of the upcoming EU GDPR legislation. Addressing any outstanding issues now will allow businesses to budget and prepare for a compliant business environment and ensure they are one step ahead.