Weak cyber security top challenge, says NCSC chief Ciaran Martin

The biggest threat to online safety is poor cyber security, according to Ciaran Martin, CEO of the National Cyber Security Centre (NCSC).

“We have got to get away from fear-based cyber security as that approach has only led to poor behaviour and poor cyber security outcomes because many companies feel overwhelmed and unable to do anything about it,” he told InfoSecurity Europe 2019 in London.

“We have to move instead to a more pragmatic approach that enables people to get on top of the problem,” said Martin, adding that the NCSC has adopted this approach, as demonstrated in the three areas of action the agency is focusing on.

“The NCSC’s job is to manage national incidents and know who is attacking us, to make the internet safer and easier to use, to protect what we care about most and help everyone else best protect themselves, and to do what only the government can do rather than compete with the information security industry,” he said.

As a result, Martin said the NCSC is increasingly publishing advice rather than keeping things secret to enable organisations to take action to reduce the national risk.

When it comes to the cyber threat posed by nation states, for example, he said the NCSC is doing more to explain it and help organisations to understand in what ways they may be vulnerable and what they can do to mitigate the risk.

But in light of the fact that impact of WannaCry and NotPetya was “accidental”, he added: “We need to worry about the impact of attacks going beyond the intent of the attackers.” In this regard, he said nation-state attacks are a threat to all, but the most impact on business is likely to be from cyber crime.

“And what we have learned from analysing 1,600 national level incidents is that these attackers are often relatively simple, using low-level techniques and well-known malware that exploits weaknesses in out of date software.

“Typically, these attacks are not particularly advanced, persistent or threatening, so what we have learned is that the biggest threat to cyber security is weak cyber security and that is what needs the most attention.”

Boards need to get more technical and understand how they would manage a cyber security attack in real life rather than just in theory, said Martin. “While cyber risk is just another business risk to manage, that can’t be done without understanding it,” he said.

For this reason, he said, the NCSC has formulated five key questions for boards to ask. “Boards need to know the answer to these questions if they are going to be able to manage cyber risks,” he added.

The five questions are:

1. How do you manage phishing attacks?
2. How do you control privileged access?
3. How do you keep software patching up to date?
4. What do your suppliers do?
5. How do you manage authentication?

In summary, Martin said cyber security is not something to be afraid of, but there is a need to promote a deeper understanding of the threats.

“We need to eliminate fear, take away the glamour, focus on the practical and aggregate our efforts,” he said.

“And as much of this should be left to industry as possible so that government can focus on the high-end risk, whether that is defending against the actors already out there or building in resilience into the new systems as they are built.”

In closing, Martin said: “Technology is changing, but the difference between now and 20 years ago is that we can see a lot of this coming.

“Let’s work out seriously, dispassionately and transparently, using what evidence and expertise we’ve got, how between government and industry we get public policy and commercial incentives right, so we are not left with some of the structural flaws we’ve had over the past 20 years in the next phase of the internet. I’m confident that with the expertise we have in the industry, we should be able to do that.”