This week we had the pleasure, in conjunction with our partners at Cyber Rescue, of hosting Nick Alexander from the UK Government’s Cabinet Office as he presented the UK National Cyber Security Strategy to 2021. Included in this announcement was £1.9bn of fresh funding for UK PLC in its fight against the cybercrime. The centre piece of the announcement was the creation of the National Cyber Security Centre (NCSC), a centre of excellence to provide a coordinated fight against cybercrime.
The timing of the announcement highlights the Government’s commitment to ensuring this country is fully equipped for the fight against this now established threat to all organisations. However, this did raise a question; if the UK Government, in the midst of the turmoil it is currently facing, is prepared to retain its focus on this initiative, can this be said of the rest of us?
This announcement highlighted the growing shift from a technical to a behavioural response to this threat and the subsequent discussion amongst a room of industry experts agreed on this. According to the Verizon 2015 Data Breach Investigations Report, “90% of all successful attacks rely on human vulnerability to succeed.” Nevertheless, according to recent research by www.axelos.com, only 52% of UK companies surveyed trained between 75% and 100% of their staff on this subject.
Investment in IT security is at an all-time high, but the most vulnerable part of any IT system walks out of the door each night with the keys to the castle. A significant number of company employees are not aware of the role they play in either protecting or potentially crippling an organisation. That is not to say that this excuse is a get out of jail free card for business leaders and the C-suite; the days of being able to say that everything possible was done to prevent a breach, after it has happened, are no longer acceptable. Your customers, public, suppliers, investors, regulators will not accept that as valid response to a breach.
Resources, expertise and support are readily available for all organisations, even the Government is committed to providing the following services:
Coherence to government cyber security;
Provision of tailored cyber security support to industry;
The government’s covert/overt skills and expertise;
Exchange of talent with other sectors;
Provision of better & faster responses to cyber incidents;
Development of innovation and growth of cyber skills;
Identification of future gaps, whilst addressing capability requirements and strategic challenges.
To put the issue into context, one financial institution reports on average it deals with 40million attempts to enter its system, every day. So what to do next, to achieve behavioural change across the organisation? Their technical defences repel 99% of these attacks, leaving 1% that reach the secondary system and are defeated. In their view, it only takes one lucky chance for an attempt to get through and that chance is normally the result of a human action, intentional or otherwise. This could be a clicked link, poor password, an insecure wifi connection in a foreign airport, the draw of a free memory stick… it only takes one action to open the metaphoric door for the hackers to get in.
It is suggested that cyber security is on every boardroom agenda, but talking is not enough, the immediate necessity is to look at effective behavioural change across the business. This can only be achieved through training that is tailored, memorable, regular and engaging. How many organisations can say that type of programme is on the agenda discussed at their monthly board meetings?