Peter A Clarke

The theoretical and human rights issues relating to privacy are well known.  But it is the danger of cyber attacks taking personal information which can harm businesses are often times ignored.  It is a matter of lax regulation and a lack of insight into the impact of such threats to business.

The UK National Cyber Security Centre has issued a sobering warning in its The cyber threat to UK business 2016/2017 report while the Institute of directors’ cyber security ensuring business is ready for the 21st century report highlights shocking ignorance within the business community.

The National Cyber Security Centre highlighted that:

• attacks on internet infrastructure, such as domain name servers, have the potential to affect multiple organisations
• the growing cyber risk  stemming from the connectivity of devices, many of which are insecure
• consumers can expect to see a rise in number of ransomware attacks on their connected devices
• cyber crime is becoming more aggressive and confrontational, with an increase in the use of extortion with ransomware being the “most common cyber extortion method”
• businesses should consider further mitigation and preventative solutions such as appropriate backups and defensive systems that automatically sandbox email attachments.’
• the use of financial trojans “have become more targeted and less visible”, posing a risk to banks.
• the back-end systems and associated services of larger institutions will continue to be a target,
• there is a need for a collaborative response across industry, law enforcement and government, with the ultimate aim of protecting customers and the UK economy.

The Institute of Directors are strongly of the view that not enough is being done about cyber security noting:

A worrying number of UK businesses have no formal plan to protect their business from a cyber-attack and the number of companies preparing themselves has not improved from a year ago. This is according to a new report from the Institute of Directors and Barclays, launched today.

Although almost all companies (94%) think security of their IT systems is important, only half (56%)* have a formal strategy in place to protect their devices and data, unchanged in the last year (from 57%)†. The report, Cyber security: Ensuring business is ready for the 21st century supported by Barclays, shows that despite a number of high-profile cyber-attacks over the last year, more than a third (37%) of IoD members lead or work in organisations without a formal cyber security strategy, and worse still, in the event cybercrime was to hit their business, 40% would not know who to report it to.

The new General Data Protection Regulation, which comes into effect in next May, will make companies much more accountable for their customers’ data. The IoD and Barclays are urging business leaders to step up their preparations now.

The Government has made positive steps in the last year to protect business and consumers, particularly by founding the National Cyber Security Centre, the report said. By bringing together several different agencies, and placing the centre within GCHQ, the UK authorities are well-placed to detect and understand cyber threats. For businesses, however, ultimate responsibility will always lie in the boardroom. The report reveals almost half of UK firms (44%) don’t have any cyber awareness training for their employees. The IoD is calling on companies to increase cyber training for directors and employees, and run attack simulations, to make sure security systems are robust.

Stephen Martin, Director General of the Institute of Directors, said: 

“The UK is a leader in the digital economy, but if we are to build on our existing strengths and capitalise on new technologies, we have to go into the future with our eyes open to the risks. This report has revealed that business leaders are still putting cyber security on the back burner. The results, even for small and medium-sized businesses, could be catastrophic.

“With threats evolving all the time, and demanding new regulations just around the corner, we cannot afford another year of complacency from business. Now is the time for firms to test their defences and make sure all of their employees, including management, have the right skills and knowledge on cyber security. This isn’t an IT issue, it’s a business survival issue.”

Adam Rowse, Head of Business Banking at Barclays, said: 

“In this digital age, cyber security should be a priority for every single business. More must be done to help businesses recognise the threat an attack could have not just on their bottom line, but to their reputation or even future existence. Keeping customers’ data safe and secure is a legal responsibility so they need to prepare for the unforeseeable.

“SMEs need a strategy in place to weather cyber-storms- a head in the sand approach won’t do. This could include a resilience plan raising staff awareness of the common types of attack, investing in up to date software protection and knowing who to report the crime to if the unexpected occurs.

“At Barclays we want to help UK businesses and their employees to fight back against the cyber criminals, so we’ve launched free cyber security training at our Eagle Lab sites across the country, led by Barclays’ Digital Eagles. Knowing how to stay safe and protected online is a major step forward for businesses to operate with digital confidence.”

Barclays’ partnership with the IoD is part of the bank’s drive to empower the general public with digital confidence and skills, and to raise awareness of the importance of cyber security. Earlier this month the UK Government announced Barclays had signed up to its Digital Strategy, committing to assist at least one million people with digital skills and cyber awareness. 

The UK Minister of Digiatal and Culture highlighted the importance of cyber security in his speech to the Institute of Directors.  The speech provides:

Cyber security is such a crucial part of our modern economy. It’s something the Government is determined to get right, so it’s great to see the Institute of Directors tackling the issue.

When the IoD was founded in 1903, the world of communications was radically different. In fact, January of that year saw the very first ever transatlantic radio broadcast between the UK and the United States.

When Marconi sent those first radio signals, I wonder if he realised how pervasive and important globalised communications would become over 100 years later. I wonder also if he considered how important security would become.

He got an indication later that year, because in June, when demonstrating the sending of a radio signal from Cornwall to London, he was the victim of one of the world’s first hacks. A rival inventor, unimpressed by Marconi’s supposedly secure system, hijacked the demonstration by transmitting his own messages to Marconi’s morse code printer, in an act Marconi branded ”scientific hooliganism”.

This story is interesting for a number of reasons.

Firstly, the idea that someone could monitor or interfere with radio signals made Governments sit up and take notice. Ultimately this led scientists to develop systems of wireless encryption which were then used during the world wars – and encryption plays a crucial role today.

Secondly, it demonstrates a problem which still exists: the tension between wanting to quickly to get a new product onto the market, and the need to make it secure.

These are both issues with us today. They are at the heart of the Government’s recent National Cyber Security Strategy. Through the strategy we’re investing £1.9 billion pounds to defend in the UK in cyber space, deter our adversaries and develop our knowledge and capability in cyber security.

We know the scale of the threat is significant: one in three small firms, and 65% of large businesses are known to have, experienced a cyber breach or attack in the past year. Of those large firms breached, a quarter were known to have been attacked at least once per month.

It’s absolutely crucial UK industry is protected against this threat – because our economy is a digital economy. Over 95% of businesses are have internet access. Over 60% of employees use computers at work. The internet is used daily by over 80% of adults – and four out of five people in the UK bought something online in the past year. And we know the costs of a successful attack can be huge. My message today is clear: if you’re not concentrating on cyber, you are courting chaos and catering to criminals.

This is why cyber security is one of the seven pillars of the Government’s digital strategy, which we published earlier this month. The digital strategy aims to make Britain the best place in the world to start and grow a digital business. But it also makes clear we must take action on cyber security.

One of the key issues is the gap between awareness and action. Government research from last year found the vast majority of businesses said cyber security was a high priority for them – But…

• Only around half had taken action to address cyber risks;
• And fewer still had formal written cyber security policies, or incident management plans.

I know the IoD and Barclays are publishing a new report today which has similar findings. I hope you will use that report to drive action and awareness in your organisations.

Our aim is help businesses get the basics right, and encourage them to understand their cyber risks and manage them appropriately. This is one of the reasons we created the new National Cyber Security Centre, which aims to make the UK the safest place to live and do business online.

As well as protecting the UK at a national level, the NCSC, which is part of GCHQ, has a new role in supporting the “wider economy and society” – that is, the parts of industry and society the security services have not traditionally engaged with – including small and medium-sized businesses, charities and educational institutions.

Their door is open. We are making it as easy as possible to do this right, so there’s no excuse. Do please look at the practical, user-friendly advice is on the NCSC has on its website.

I want to highlight two things specifically which you can do.

Firstly, for getting the basics right, we created the Cyber Essentials scheme. GCHQ analysis shows the vast majority of cyber attacks exploit basic, known vulnerabilities, like passwords and admin access policies. Cyber Essentials shows you how to address those vulnerabilities. It’s simple, low cost and specifically designed for SMEs. All firms which rely on the internet should have Cyber Essentials – as a minimum.

The Government thinks this is so important we now require all our suppliers which handle sensitive data to hold a Cyber Essentials certificate.

Secondly, for managing cyber risk, we created the 10 Steps to Cyber Security guidance. This is about taking an organisational approach to cyber security and managing cyber as you would any other business risk. This is a board level issue, not one to delegate to the IT department. As directors and board members, you should all be engaged in this issue. I know the IoD has a role in promoting good corporate governance, so I commend the 10 Steps to Cyber Security and encourage you all to use it.

On Cyber Essentials, we’ll be launching a new push later this week to encourage all UK businesses to adopt the scheme. Numbers are really starting to grow. Already, we’ve awarded more than 6,000 certificates to date, with the numbers more than tripling in the past year. We’ll be publishing the figures on take-up each month from now on.

I mentioned the Government already requires many of its suppliers to hold a Cyber Essentials certificate. We’ll be strengthening this requirement to ensure even more of our contractors take up the scheme.

I can announce today that we will beef up our requirements for contractors to use the scheme. And I can also I’m pleased to announce that a number of the country’s biggest firms have also agreed to encourage their suppliers to adopt Cyber Essentials. These include Barclays, BT, Vodafone, Astra Zeneca and Airbus.

I think this is a powerful signal that the security of our suppliers is as important as our own security – the two things are inextricably linked. It is also a recognition that Cyber Essentials is an effective tool which can be built on to achieve greater security in our organisations.

To complement these new measures, we’ve also published updated Cyber Essentials requirements, to make the scheme easier to use. And we’ll be starting a marketing campaign on Friday to raise awareness and drive adoption of the scheme.

It’s important businesses and organisations take action. With the introduction of the General Data Protection Regulation next year, it’s crucial all organisations understand what data they have and ensure it is protected appropriately. Taking these actions I’ve outlined will help. There is further guidance on GDPR on the Information Commissioner’s website.

We also want to develop our national capability to deal with the cyber threat, which is why we are supporting the UK cyber security industry, which is worth nearly £22 billion and has a strong record on growth and exports.

We are funding a range of interventions to support the UK’s cyber security ecosystem, which help companies at different stages of the business lifecycle.

To help develop an initial idea into a commercial reality, the Academic Start-Up programme helps those in academia turn their research ideas into commercial products. There is also “HutZero”, an early stage accelerator, delivered by Cyber London and Queen’s University Belfast, to mentor individuals with early ideas and help turn them into workable proposals and potential new businesses.

To help turn a product into a start-up firm, we’re opening two Cyber Innovation Centres. The first in Cheltenham is already open, and features the GCHQ Cyber Accelerator. Successful applicants to the Accelerator gain access to GCHQ’s world-class expertise as they develop their products and grow their businesses. The London Innovation Centre will open later this year.

And to help early stage companies become Successful Companies we’ve partnered with the Digital Catapult to launch an “small business bootcamp” called Cyber 101, which offers Business Basics for Cyber Security small businesses and SMEs.

Finally, we’re working on an initiative to help put successful companies on the path to becoming into world-class enterprises.

The final piece in the jigsaw, and a crucial one if the industry is to continue growing, is tackling the skills shortage. We made some progress over the past five years by putting interventions to improve cyber security skills at every level of education. We’re now going further with a bigger strategic programme, which includes:

• A Cyber Schools Programme to identify talented and motivated 14-18 year olds, and help nearly 6000 of them become future cyber security professionals;
• Cyber Security Apprenticeships, to establish apprenticeships as a viable route into the cyber security profession. Our initial pilot this year attracted over 1000 applications for around 30 apprenticeships;
• And, a Cyber Retraining Programme to address the skills gap more immediately. This will help those already in the labour market change careers and become cyber security professionals in a short timeframe.

This work will be brought together in a Cyber Security Skills Strategy to be published later in 2017.

So we have a huge amount of activity underway. But ultimately this is something which can only be done through partnership between business and Government. So I look forward to continued working between IoD members and the Government, to help deliver our shared mission of making the UK the safest place to do business online. Thank you.