Cyber security remained high on the national agenda in 2014, with the UK government allocating more money to bolstering national cyber resilience and support UK businesses.
2014 saw the official launch of the first UK national computer emergency response team as well as faster than expected growth of the government’s cyber security information sharing partnership (CISP).
The UK government also introduced the Cyber Essentials scheme to help UK business achieve and demonstrate a basic level of cyber security by becoming certified on the scheme.
As part of efforts to make the UK a safe place to do business, the government has increased support to small and medium businesses to face cyber security challenges with limited resources.
There has also been increased focus on ensuring critical national infrastructure suppliers and the financial sector have reasonable levels of capability to resist cyber attacks.
At a regional level, the European cyber security agency Enisa announced plans to re-focus its efforts with a new strategy to put economic benefits at the forefront of all its activities.
Nato also announced plans to work with the governments and businesses of member countries to bolster cyber security knowledge and capabilities.
While there is a relatively high focus on cyber attacks, KPMG raised the question of how prepared the UK would be in the event of a failure of the internet through some unintentional act.
Read Computer Weekly's top 10 cyber security stories of 2014 here:
After several delays, the government has finally launched the first national computer emergency response team, Cert-UK, to raise national awareness of cyber incidents and improve response capabilities. Announced in December 2012 as a key element of government’s £650m cyber security strategy, Cert-UK was initially set to launch by the end of 2013, but later rescheduled for 2014. On 31 March, Cert-UK went public as the single point of contact for UK business and other national Certs on cyber security issues. Cert-UK also has responsibility for national cyber incident management, handling cyber incidents related to critical national infrastructure, and developing and sharing cyber threat situational awareness.
Membership of the government’s Cyber Security Information Sharing Partnership (CISP) is well ahead of target, says the national computer emergency response team (Cert-UK). “We had set a target of 500 member organisations by the end of 2014, but we are already way beyond where we expected to be with more than 680,” said Chris Gibson, director of Cert-UK. Although initially focused on organisations that support critical national infrastructure, membership is free and open to any UK company with a network to defend,” he said. The CISP – set up in March 2013 and hosted by Cert-UK since it was launched officially in April 2014 – uses a dedicated, online collaboration environment to enable government and industry members to share cyber threat and vulnerability information. Members are able to share, publically or anonymously, information on cyber incidents they are seeing to help them help themselves to protect against cyber threats. “The CISP is now very much the situational awareness platform within Cert-UK, with more than 1,850 individuals on the system,” Gibson told Computer Weekly.
The UK government will require IT suppliers to comply with the five security controls laid out in its Cyber Essentials Scheme (CES) from 1 October 2014, but what benefits will this bring and is there a downside? The most obvious benefit is it will raise the overall level of protection by putting security in the procurement process, thereby creating a commercial reason for improving security. But market commentators have said that while the cost is relatively low at basic level, there does not appear to be any financial help available for SMEs to close any security gaps identified in the self-assessment phase. Also, the scheme addresses only a very basic set of technical controls, and does not address best practice in the areas of governance or user awareness. Other security experts cautioned against over-reliance on CES, saying that is it is a good starting point, but CES accreditation does not necessarily mean an organisation is as secure as it can be.
The European cyber security agency, Enisa, plans to re-focus its efforts with a new strategy to put economic benefits at the forefront of all its activities. The strategy, dubbed “digital sovereignty,” is aimed at aligning the agency’s work with the European Union’s economic policy and goals. “If the EU is to have a successful cyber security strategy and directive, we have to ensure the incentives for business are clear,” said Steve Purser, head of the core operations department at Enisa. “We need to align cyber security with European industrial policy and ensure businesses understand how they will benefit from the strategy and the associated directive,” he told Computer Weekly. By ensuring that technology, business models and standards are all aligned, Purser said Enisa can help make European industries more competitive.
While Nato and business may be unlikely bedfellows, security experts are calling for a closer relationship and Nato strategists may be more willing than expected. The basis for this unlikely relationship is cyber security, which featured fairly prominently at this year’s Nato Summit in Wales with the adoption of a revised cyber security policy. But what has a military organisation like Nato got to do with private sector business? Simply put, it is in a position to influence the 28 Nato member countries in terms of improving their cyber defence capabilities and passing that on to business, according to Jason Hart, vice-president of cloud solutions at data protection firm SafeNet. The good news is that Nato is planning to increase its focus on these issues under a new cyber security policy, said Jamie Shea, Nato deputy assistant secretary general for emerging security challenges. “We are now thinking beyond taking care of just Nato cyber defences, and although we have a lot of work to do, we now have a policy basis that allows us to get on with that,” he said. The new policy makes, for the first time, cyber attack a potential trigger for invoking the Nato treaty’s article that requires members to come to the aid of any member under attack, Shea told Computer Weekly. Another key element of the enhanced cyber policy is to expand Nato’s cyber defence capabilities beyond the organisation itself to provide assistance to individual member countries.
Global companies are being forced to pioneer international privacy standards as they face a growing number of government requests to access customer data, says consultancy KPMG. Stephen Bonner, partner in information protection and business resilience at KPMG, said that, in the absence of any state-led guidelines, he is seeing global companies doing it for themselves. “We see global companies really struggling because you can get a legally-approved warrant in one country that is fundamentally against human rights in another. Both jurisdictions are comfortable saying their rules apply everywhere else, which makes it difficult for companies caught in the middle,” he said.
Cyber attacks are increasingly in the headlines of mainstream media, yet research reveals that a third of UK micro businesses would not know what to do if their IT was breached. Four in 10 micro businesses would struggle to recover if all data were lost and one in four would not be able to recover any data, the study by Kaspersky Lab revealed. Why are they so unprepared? This is a significant problem in light of the fact that there are 4.7 million micro businesses in the UK - defined as companies employing 10 or less people - which are the bedrock of the UK economy. It is also worrying because most of these companies are suppliers to bigger companies and therefore more likely to be targeted by cyber attackers as a stepping stone to bigger targets.
Targeted attacks on computer industrial control systems (ICS) are the biggest threat to critical national infrastructure, according to security firm Kaspersky Lab. But what are the unique security challenges? The main challenge is linked to the fact these systems typically control physical processes that relate to power, transport, water, gas and other critical infrastructure. This means almost 100% availability is required, which in turn means it is very difficult and costly to interrupt these systems for things like security updates. Because the output of ICS relates to physical processes, the effects of any downtime – such as a power outage – can affect millions of people. For this reason, organisations that support critical infrastructure cannot risk downtime by allowing automatic security updates for ICS that could cause systems to restart or shut down. Other challenges include maintaining ICS security on legacy systems, using insecure operating systems to cut costs, greater ICS connectivity, and the lack of industry-specific risk management strategies.
Banks are under-reporting cyber fraud because they don’t want to scare customers, a parliamentary committee has been told. A University of Cambridge researcher told a Treasury select committee that the amount of money being taken from people's accounts through cyber crime is twice as much as what is reported. Speaking at a meeting about the treatment of customers by finance firms Dr Richard Clayton, a senior researcher in security economics at the University of Cambridge, said: “Insiders tell me the going rate is about twice the amount of money [reported by banks] goes walkies out of people’s accounts.” He said banks keep this secret because a lot of it is recovered. One senior security professional in the banking sector said banks are by constantly being attacked by cyber criminals, and that banks play down the level of cyber crime.
A total internet failure is the one thing that could stop any business in its tracks, yet few are preparing for this possibility, consultancy KPMG has warned. Stephen Bonner, partner in information protection and business resilience at KPMG, said this could happen within the next five years as the number of internet nodes far internet outage that could last two to three days,” he told Computer Weekly. Bonner said he thought an outage will most likely be caused by human error of some kind. “Although there are vulnerabilities in the internet that malicious actors could exploit to cause a total outage, nobody would benefit, therefore it is unlikely to be the result of a deliberate act,” he said.