The UK Government is on high alert, having launched the National Cyber Security Centre (NCSC) in February to position the UK as the “safest place in the world” for online engagement and business.
Working with private, public and other specialist organizations, its purpose is to provide accessible preparatory and guidance and support to mitigate threats.
As a statement of intent, the initiative, which is part of a wider £1.9bn cybersecurity investment, has prompted much action and discussion. It is also ahead of the pack in many respects, preceding similar moves in both the US and China. But how successful has the NCSC been to date? What else can be done to safeguard the UK against a relentless cybersecurity onslaught?
A year of cyber aggression
In its annual review, the NCSC reported preventing a total of 79,567 attacks. 590 were classified as significant, including incidents related to key national institutions like the National Health Service (NHS) and the UK and Scottish Parliaments.
Over the past year, it has produced over 200,000 protective items for Armed Forces communications. Its Cyber Security Information Sharing Partnership (CiSP) with industry grew by 43%. Following the WannaCry ransomware outbreak, there were over 23,000 visitors to the NCSC’s online platform, including 15,000 during the first weekend. Other notable achievements include the Active Cyber Defence program, which claims to have helped reduced the average lifetime for a phishing site hosted in the UK from 27 hours to less than an hour.
The NCSC’s work is clearly a strong step in the right direction and its remit is continually expanding. As it evolves, it is important to build on its collaborative momentum, sharing best-practice, as well as strengthening its governmental and industry-specific alliances on a global scale.
Looking further ahead, it also needs to do better to catalyze the notion of “security by design” and, crucially, substantively address a growing skills-gap.
Transforming culture and implementing security by design
All-encompassing security must entail the rollout of a long-term strategy, specifically and sustainably structured to safeguard the future. A reactionary band-aid for the present is no use to anyone.
Security by design means all operating systems, browser software and apps must be explicitly designed to safeguard against the latest threats.
There is hope that the NCSC will ramp up its direct work with organizations to encourage proactive approaches to security. Cybersecurity threats are broad but also idiosyncratic. There is no on-size-fits-all to staying safe.
It all starts with understanding the risks, including independent security testing and seeking consultancy from expert third parties. IT teams must evaluate where data is stored and ensure networks are built with security at the heart. Security architects and risk owners should assume that devices will get compromised and determine how best to segregate data in the event of a breach.
Automatic device and system updates are vital, as is the constant monitoring of all user activity to spot anomalous behavior. Setting a minimum-security requirement, as well as educating students and staff on safe password etiquette, should also be mandatory.
Internal awareness-raising is another top priority. Employees are often the weakest link in an organization’s defense. IT security is everyone’s responsibility and it cannot be left to a small team of experts. For many, it will involve behavioral changes and cultural shifts. The NCSC needs to help bring about these step-changes on a wider scale.
Tackling the skills shortage
Globally, we are facing a chronic cybersecurity skills crisis. According to the Center for Cyber Safety and Education’s 2017 Global Information Security Workforce Study, Europe will by understaffed to the tune of 1.8 million skilled professionals by 2022 – 15% higher than predicted in 2015.
No matter how advanced technology becomes, security teams will struggle to keep up with increasing threats if the talent pool remains limited.
Collectively, government, education and industry need to take more responsibility for helping young people to channel their talent and choose a career in cybersecurity. Education must prepare students early by treating digital skills with equal importance as other core subjects. Meanwhile, college and university courses need to offer the right balance of knowledge and practical application of skills to cultivate a future workforce ready to tackle real world threats.
Teachers also require better access to resources to bring the subject matter to life. Businesses have to take responsibility too and offer a wider range of internships and programs to provide relevant, real-world experience, including mentoring from cybersecurity professionals.
Defending our future
The NCSC is not a cybersecurity panacea, but it is certainly an effective initiative and reminder for all organizations to drive change. While we need stronger policies, collaboration and resources from the top, organizations cannot afford to remain idle and expect to be hand-held to safety.
Cybersecurity is a collective responsibility. Threats will be bigger, more complex and unpredictable in 2018. Now is the time to build security into every juncture of design, process and online interaction. Now is the time to leave no stone unturned in the hunt for the best talent.