What do Tesco Bank, Talk Talk and Northern Lincolnshire and Goole NHS Trust all have in common? An easy question for anyone in the cyber security business – they’ve fallen victim to security breaches.
And a critical report recently published by the Public Accounts Committee (PAC) states that while the threat from cyberattacks has been one of the top four risks to national security since 2010, it’s taken government too long to consolidate and coordinate the 'alphabet soup' of agencies that are meant to be protecting Britain online.
The PAC goes on to provide six recommendations that will increase the UK’s security. Here, I tackle the three I think are the most important.
Create a detailed plan for the National Cyber Security Centre (NCSC)
This advice comes a mere four months after the NCSC was established and it’s already been tasked with taking the lead on protecting government networks, using technology and innovation to automate defences, and taking control of incident response.
These are all huge asks and it’s vital the government doesn’t complicate matters by strangling the process with bureaucracy. My advice? As the NCSC emerges from government into industry, allow it to operate as a business and learn how it needs to effectively support commercial business.
Assess the cost and performance of government information security activities more broadly
Consider this: The UK spends billions of pounds a year on defence, but it’s extremely difficult to quantify the value of security until you’re attacked. It all depends on how you measure value – and this requires an outlook that isn’t focused purely on costs. The same outlook needs to be taken with cyber security.
It’s also worth highlighting that the recommendations only focus on preventing cyberattacks. But it’s naïve to assume you’ll never be attacked or that attackers will never be successful – even if you have the best defences possible. Prevention is just one side of the coin and an organisation’s resilience and ability to bounce back quickly after an attack should be given equal importance.
Whilst the PAC has an important role in scrutinising how government money is spent, assessing the value for money of security initiatives will always be very hard. This should be accepted – efforts to drag cyber security programmes through government value for money assessment exercises will just stifle the innovation needed to tackle this challenge.
Plug the cyber security skills gaps
Up until now, the government has focused its initiatives on undergraduate level and beyond. But with just 10% of pupils taking a GCSE in Computer Science in 2015/16 and less than 1% of A Levels taken in Computing, the focus needs to be on engaging schoolchildren from a young age.
Our annual Raspberry Pi competition aims to do just this. It gives students as young as eight the opportunity to gain hands-on experience of computer programming and engineering. Lessons should also be learned from Israel – a country renowned for its cyber security prowess. The necessary skills are embedded in the curriculum from an early age; both Israeli academia and the military continue to put cyber-security at the top of their priorities, generating a continuous and sustained pool of cyber talent that supplies industry.
Good steps are being made but, as highlighted by the PAC, there’s still lot to do. This is enviable when tackling such an emergent and dynamic challenge. It’s only by taking a different approach across these three fronts that the UK will increase its chances of preventing cyberattacks – and recovering from any attacks it does fall foul to.
Is my SOC making any difference?
By JOHN SKIPPER, PA digital expert
Information security breaches keep happening. Many of them we don’t see, but those we do vary significantly in their apparent goals and the attack methodology - depending on the nature of the organisation and service being attacked. And how you react to them depends very much on your business priorities – whether your focus is on defending critical information assets, preventing financial crime or protecting reputation. So your risk depends very much on your business.
Despite this, cyber security is often perceived as a technology thing, oriented around boundaries, controls and monitoring that are essentially the same for everyone. How can you tailor your cyber security investment to the specific needs of your business and your risk appetite?
I believe this starts in the Security Operating Centre (SOC), which for most is the heart of their cyber response capability. It means making sure you have the right threat intelligence, you are gathering the right event data, applying the right analytics, prioritising the right incidents and responding in the right way. Most importantly, your SOC team needs to have the right mindset and understanding of the business context. The threats that matter for an online payment processor will be very different from a nuclear power operator. Ultimately, if your security analysts don’t understand the business they are trying to protect, they will be chasing the wrong threats and all the money you have spent on tools such as Security Information and Event Management (SIEM) will have been wasted.
The use of ‘security scenarios’ can really help to focus your SOC on the threats that really matter to your business, help them recognise the really serious incidents when then occur, and make sure they respond quickly and appropriately. When I’m with clients, I use three simple steps to define a set of security scenarios:
1. What incidents have hit you in the past?
2. What incidents have hit your peers and competitors?
3. What else do you think could go wrong in the future?
By assessing the impact of these scenarios and the difficulty of detecting them, it is straightforward to prioritise them and determine where your SOC should focus to make the biggest difference to your business risk. You can then determine the event data and analytics you need to bring in to your SOC, and the play books to triage and contain potential incidents. You can also make sure you are spending your money where it will deliver the best return, in terms of risk reduction.
This approach is already helping to protect one of the UK’s most important defence businesses and has dramatically improved the effectiveness of their SOC. Could it help ensure your SOC is actually making a difference?
We Make the Difference
An independent firm of over 2,600 people, we operate globally from offices across the Americas, Europe, the Nordics, the Gulf and Asia Pacific.
We are experts in consumer and manufacturing, defence and security, energy and utilities, financial services, government, healthcare, life sciences, and transport, travel and logistics.
Our deep industry knowledge together with skills in management consulting, technology and innovation allows us to challenge conventional thinking and deliver exceptional results that have a lasting impact on businesses, governments and communities worldwide.
Our clients choose us because we don’t just believe in making a difference. We believe in making the difference.