Earlier this year, more than 230,000 computers in over 100 countries were infected by the WannaCry ransomware attack, hitting 47 trusts within the UK’s NHS.
“Cyber security is a growing concern and one of the biggest threats to UK and global businesses. Had the NHS been up to date with their cyber security, they could have avoided this attack,” says Anthony Cotton, Information Assurance Officer at the University of Derby.
It isn’t just large companies that are vulnerable though. Small to medium sized businesses are also at risk – a reported 74% have been subject to information security breaches. “60% of small businesses fail within the first six months of being hit by a cyber-attack,” Anthony adds.
With increased availability of automated hacking tools on the ‘dark web’ experts say the scale and size of threat will only increase.
“With a growing number of connected devices, demands for transformative technology and users’ insistence that their data is secure, the problem is not going to go away,” says Andy Butcher from Axians, who are specialists in helping organisations to develop secure networks.
In October 2016, the UK government launched the National Cyber Security Centre (NCSC) with an aim to make the UK the safest place to work and live,and address the cyber skills gap. Much work has been achieved over the last 12 months but is the government’s strategy for dealing with cyber security adequate?
Anthony believes it’s going in the right direction. “The government published a comprehensive, national cyber security strategy last year, which is actually very good. With the opening of the NCSC – part of the Government Communications Headquarters (GCHQ) – and company access to the Cyber Security Information Sharing Partnership (CiSP), businesses can view secure communications about cyber incidents and ensure their systems are protected.”
For Andy, these strategies will help businesses to mitigate risks. “When things go wrong the reputational damage that accompanies security breaches can be significant. This means that companies have more impetus than ever to protect their information on the networks.
“With the introduction of the EU General Data Protection Regulation (GDPR) set to come into effect on 25 May 2018, any organisation that handles personal or confidential data must be on track towards compliance or face substantial fines,” he adds.
While more information is now available to support businesses, one of the biggest problems facing the cyber security industry is its talent pool. The largest ever survey of the global cyber security workforce predicts a shortfall of 1.8 million cyber security workers by 2022, and job site Indeed reports that employer demand for cyber security roles is three times higher than candidate interest. So, how can we close the skills gap and attract more young people into the profession?
Anthony says that extensive training opportunities are available and organisations are starting to see the value in joining these. “There are now 14 UK Academic Centres of Excellence in Cyber Security Research at universities in the UK, and initiatives such as the Cyber Security Challenge UK, where the next generation of cyber defenders can test their skills, are starting to attract younger people into the industry.”
Businesses should also weigh up the need for skills against reputational risk and build this into their strategy.
“A business can put itself at risk without the right skills, causing a disparity between the long-term vision of the company and the reality of the here and now,” Andy argues.
The solution? “Skills can be found externally to create partnerships in network security. Increasingly, we are seeing ‘virtual security officer’ style roles where security consultancy, pre-sales skills and support skills are pooled into a service rather than a single full-time employee. This is far more affordable and means businesses benefit from a wealth of knowledge from those who deal with a variety of networks and technology every day,” he adds.
Cyber essentials – five key tips:
- Boundary firewalls and internet gateways – these are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective.
- Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation.
- Access control – ensuring only those who should have access to systems actually have access and at the appropriate level.
- Malware protection – ensuring that virus and malware protection is installed and is it up to date.
- Patch management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor been applied.
While the search for fresh talent continues, businesses must be prepared and have the processes and technology in place to mitigate potential risks. The question remains: what should businesses be doing to protect themselves?
Andy advises: “The main issue isn’t the threat of a targeted attack; for businesses it is keeping up to date with vulnerabilities in their own networks. Organisations should start by understanding where their risks are and plan to re-architect the network so that risks can be avoided without affecting business as usual service.”
This sentiment is reinforced by Anthony, who believes that businesses need to be one step ahead of the cyber attackers. “The old adage to leave working systems as they are has been turned on its head. A lot of organisations now see the benefit of having a more mature approach, including the creation of Security Operations Centres as part of their cyber security provision, who forecast, forward plan and proactively hunt out potential issues.”
While it is not possible to stop every cyber-attack, businesses appear to feel more supported and confident in their ability to combat the growing threat of a substantial attack. As the experts say, organisations, employees and our own personal data can be compromised if we aren’t prepared. In this game of cyberwarfare, we always need to be one step ahead of the hacktivists.
