CYBERUK 2018, the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) cyber security conference, will see 1,800 cyber security experts gather in Manchester, England. One of the big talking points will be the joint report from the two agencies looking at the cyber risk to UK businesses.
It would be easy to just see the 30 page report as more doom and gloom but that would be missing the point. This is not a report aimed at cyber security professionals. It is aimed at getting the boardroom to understand the risks and to get them to engage with the problem. It seeks to raise the level of cyber security preparedness by organisations, including government from basic to priority.
Ciaran Martin, Chief Executive of the NCSC, said: “We are fortunate to be able to draw on the cyber crime fighting expertise of our law enforcement colleagues in the National Crime Agency.
“This joint report brings together the combined expertise of the NCA and the NCSC. The key to better cyber security is understanding the problem and taking practical steps to reduce risk.
“This report sets out to explain what terms like cryptojacking and ransomware really mean for businesses and citizens, and using case studies, shows what can happen when the right protections aren’t in place.”
What does the report cover?
The report sets out the trends and significant incidents that the two agencies have seen over 2017-2018. As well as discussing the threats in clear language, the report also provides information on how to mitigate them. The links to that content show just how much information the NCSC has created over the last year. The majority of the information is clear and easy to understand.
There is also a section on future threats. Unsurprisingly this also encompasses the threats and incidents from the last year, many of which are still evolving. Among the threats that are expected to become major issues are those of data breaches and legislation. They key piece here is GDPR but UK companies also need to keep an eye on Europe and the USA. There are several pieces of European legislation coming up that will impact UK companies even after Brexit. If not planned for, they will provide a shock to businesses.
It is this mix of explanation of the threat and where to find more information that will appeal to the boardroom. It can also act as a useful aide-memoire for hard pressed IT managers or those new to cyber security roles inside enterprises.
The report also comes just days after a NCSC security advisory looking at threats to the supply chain for the UK Critical National Infrastructure. This is also taken up by this report which is only to be expected. The growth of attacks from state-sponsored actors means that more and more powerful tools are in the hands of the bad guys. This is not good news for UK companies especially given the shortage of skilled cyber security staff.
A lack of security staff is also a threat
This issue is where the report disappoints. The NCSC and GCHQ have been involved in creating cyber security apprenticeships. They are also both major backers of cyber security competitions such as the Cyber Security Challenge.
The NCA has a set of proven approaches to catch identify budding cyber criminals. It is often too cagey about what it is doing and how companies can help by providing access to training to turn potential criminals into cyber defenders.
While the report writers might think that talking about threats, incidents and future threats is all about the technology, it is not. If we don’t have the staff we cannot protect ourselves.
Also missing is any mention of the perceived threat by government from encryption. While the general approach is to encrypt everything there is also a move to make access to encrypted data easier. This does not sit well with organisations of all sizes or the wider cyber security community. The constant demands from government to backdoor access to encryption schemes is, like it or not, a threat. This report should have talked about key management and the risks that backdoor access brings.
What does this mean
For hard pressed management who are struggling to understand the cyber security threat this is a useful document. It sets out major challenges and threats along with methods to mitigate them. This is something that the boardroom needs. Cyber security is the only area that many face where throwing money at the problem doesn’t make it go away.
The report sets the tone for CYBERUK 2018 and the tracks and sessions that will take place. With the press barred from the majority of what is being delivered, it will give organisations an opportunity to discuss issues in a more controlled environment. However, the subject area is vast and those organisations sending just one or two members of staff may discover that, like the report, they have missed some valuable information.