Navigating cybersecurity in the new world

For many organisations, an imminent cyber attack is inevitable. Former senior intelligence & security officer Philip Ingram MBE stresses the importance of public and private sector collaboration in order to realise the Government’s recently published Cyber Security Strategy and looks towards opportunities for knowledge sharing at International Cyber Expo, taking place on 27-28 September at Olympia, London

The increased use of smart devices and the pandemic has forced a shift towards remote working, driving many organisations around the world to kick-start digital transformation programmes. This rapid adoption of new technologies has uncovered multiple opportunities and high-end operational capabilities to enable teams to work smarter and more efficiently. However, as organisations rush to keep their workforces online, it seems security is being left behind. In fact, a survey revealed that over half or more CISOs and CIOs said they haven’t fully mitigated the risks associated with remote work (50 per cent), digitisation (53 per cent) or cloud adoption (54 per cent).

Complex cyber attacks within government and public sector organisations are among the greatest threats to creating better operational efficiencies and processes through digital transformation. Every year, more and more organisations get caught out by cyber criminals, with damages running into billions worldwide. Indeed, the global cost of cybercrime is said to have exceeded $6 trillion in 2021.

The attractiveness of public sector data to cyber criminals means they continue to run campaigns to exploit a wealth of personally identifiable information (PII) for identity theft, financial fraud, account takeovers, or create spear phishing emails and social engineering attacks that lead to ransomware. This is in addition to the challenge that most government and public sector organisations are working with a mix of outdated and legacy systems. According to the UK Cyber Security Strategy 2022-2030 report, 40 per cent of all cyber attacks in 2020-2021 affected the public sector.

Threat landscape
Although digital transformation brings with it many benefits, it also dramatically changes the cybersecurity threat landscape for organisations and the challenges they face. As the use of digital technologies grows so does the threat surface, opening up many more areas for potential cyber attacks and data breaches.

For many organisations, an imminent cyber attack is inevitable. In April 2022, research from Trend Micro revealed that more than three-quarters of global organisations expect to be successfully hacked in the next 12 months. Also, the recent revelation that a suspected cyber attack leaked personal information of UK government employees which appeared on Russian websites, makes it even more crucial that organisations focus on securing their developing networks and systems.

Taking all of the above into consideration, navigating the complexities of modern day cybersecurity has never been harder. The increasing threat environment, expanding attack surface and continuous demands from various stakeholders for transparency are only adding to the challenges. It seems even the most talented cybersecurity professional can feel overwhelmed, made worse by the ongoing cyber skills gap.

Rallying the troops
The digital and cyber skills gap has long been a concern for the industry, resulting in overworked teams teetering on burnout. More than a human resources issue, this particular challenge also has grievous repercussions for business continuity, if not addressed. Indeed, earlier this year, Fortinet produced a research report which revealed that two-thirds of IT leaders worldwide are concerned about the risks they stand to face as a result of a skills gap within their organisation. The vast majority, or 80 per cent of survey respondents, confirmed that they had experienced one or more breaches during the preceding 12 months due to a lack of cybersecurity awareness skills or awareness. Moreover, (ISC)2’s 2021 Cybersecurity Workforce Study estimates that an additional 2.72 million cyber professionals are required “to adequately defend…critical assets”. As the threat landscape continues to grow, evolve and intensify, we urgently need to step up as a community to tackle this issue. But what can, or should, be done?

Self-inflicted shortage
The truth of the matter is the industry’s skills shortage is largely self-inflicted. The first key mistake we make is believing we need to rally troops composed of the ‘cyber elite’, or professionals highly skilled in specific and technical fields of cybersecurity. While such talent is necessary for a country’s military defence and cybersecurity-focused enterprises, they are not essential in other organisations to run securely. Our cybersecurity ecosystem has evolved significantly since the industry originally emerged, and we now have a whole range of services and tools at our disposal to build a strong defence. Today, it is enough to bring onboard decently skilled individuals with the ability to leverage these resources effectively. This significantly widens the pool of talent we can access as it is no longer confined to a minority of individuals naturally gifted in STEM subjects. Rather, it allows for the possibility of qualification through training.

Equally, we need to remember that cybersecurity is a relatively new industry and it is constantly and quickly evolving. Though someone might be an expert in cyber threats today, they are unlikely to be equipped to tackle the threats of tomorrow without committing to continuous re-education. Yet, we generally place numerous barriers to entry, requiring individuals to have X years of experience, X qualifications etc. What organisations really need are individuals who are enthusiastic to learn and a system in place to train people from the ground up; for entry-level or even current employees who are interested in making the lateral move.

Last but certainly not least, is the importance of making room for greater diversity and inclusivity. Fortunately, we have witnessed an improvement on this front over the years. A 2021 joint study by the NCSC and KPMG shows that over a third (36 per cent) of respondents are female, roughly 10 per cent are from the LGB community - higher than the estimated 2.2 per cent of the UK population that is LGB, 25 per cent identify as having a disability and other characteristics, such as ethnic minorities, are largely in line with national population proportions. Nevertheless, this is not the time to fall complacent and we do need to continue making an effort to drive the inclusion of an otherwise untapped candidate pool.

Of course, the best way of ensuring we continue to nurture diversity within the industry and indeed to tackle any issue we face, is through collaboration.

Collaboration
Cyber resilience is critical for all governments, businesses and public entities today. The threat of attacks is not going away, so the focus must be on hardening the security of critical assets so that when criminals do target them, they are met with a robust and defensive force that prohibits them from reaching their goals.

However, given government and public sector organisations are often underfunded when it comes to cybersecurity, and the current lack of resources and skills to comprehensively defend networks makes true cyber resilience difficult to achieve. Instead, most businesses will carry out some form of detection and response, but security gaps always exist which are easy to exploit and leave them vulnerable.

Instead, one of the best ways to improve the UK’s cyber resilience is through private and public sector collaboration. By uniting forces, the public and private sectors can work together to protect the UK as a joint responsibility, where they share intelligence, and do more to protect small and mid-sized organisations, who are often hit hardest by cybercrime, while also educating the public.

This union is a key aspect of the UK government’s Cyber Security Strategy 2022-2030, which delivers a vision of cybersecurity resilience through public-private sector collaboration. The strategy also outlines the importance of building security into the core of the UK’s infrastructure by deploying secure-by-design principles, the importance of sharing knowledge and improving cyber education to close the skills gap.

Sharing responsibilities
While the UK is striving for a more unified public / private sector future, historically there have been collaboration challenges between the two which have hindered efforts and will need to be overcome. One of the biggest historical issues is that the government has not worked closely enough with the private sector to share responsibilities. This has led to private organisations focusing on commercially driven activities, while ignoring others that still put the public and UK businesses at risk.

Identifying the critical problems that need to be solved
What are the critical problems impacting the UK? These need to be defined and prioritised so that issues can be identified and resolved appropriately. To be seen as a global cyber leader, the UK needs to spearhead research and development into cyber defences and hacking activity. However, in the past, the country has failed to do this at a national level. Private, public and educational institutions need to work together to identify issues worth researching, then fund and execute them.

By forging a more collaborative relationship between the UK’s public and private sector, the country will reap many gains. Not only will it improve overall cyber resilience, but it will also reinforce the country’s position as a cyber leader, while also closing the digital skills gap.

International Cyber Expo
Our industry is full of impressive individuals with the resources and know-how to bring about the change we need to see. We just need a space for them to come together to do so, and that is exactly what the International Cyber Expo intends to be.

Held at Olympia London on the 27th - 28th September 2022, International Cyber Expo endeavours to be the go-to meeting place for industry collaboration, where everyone from vetted senior cybersecurity buyers, government officials and entrepreneurs, to software developers and venture capitalists, are welcome to share their experiences, knowledge and resources with peers. As one of the must attend annual cybersecurity expos, the inclusive event is made for the community, by the community, hosts a world-class Global Cyber Summit, an exhibition space, live immersive demonstrations and informal networking in partnership with Beer Farmers.