A cyber security report has called for a change of mindset from simply responding to incidents, to a proactive, “continuous detection and response” to attacks.
The report, entitled The future of information security, said that as cyber attackers become more sophisticated, the speed of responding to attacks must increase.
“At present, information security tends to be very fragmented as it has been developed and implemented on a tactical basis reacting to new developments and changes in the type of threats,” the report by Intel Security and the Digital Government Security Forum (DGSF) said.
“As a result, it is generally silo-based and this creates opportunities for threat actors to exploit gaps and overlaps between the silos.”
The report calls for a need to build functional capabilities and identifies a series of components needed to do so, including having the right tools and intelligence in place, being aware of contextual issues, and having the right people and culture in place to do so.
Speaking at the launch of the report at the Intel UK & Ireland Security Summit, John Thornton from DGSF said that the average time to react to cyber breaches is often weeks or months, sometimes even years. "It should be minutes and seconds to react and respond," he said.
Thornton added that as technology evolves and attacks become more sophisticated, now is the time to think about the “security and data sharing implications of the ways we will work in the future”.
“This includes not just near-term issues like cloud computing and social media, but also longer-term developments such as automated systems for enquiry handling and even driverless vehicles,” he said.
New technologies, the widespread use of smartphones and mobile computing, all with different security environments, also increase the likelihood of exposure to cyber attacks, the report said.
It also highlights the emergence of the internet of things (IoT), which creates huge opportunities, it said, but security is often lagging behind the development of new functionalities.
The report indicated that the government and public sector will place increasing reliance on information security and are continuing to leverage developments in technology to do so.
Cyber security investment
Chancellor George Osborne recently announced a £1.9bn investment in cyber security over the next five years to “aggressively defend” public services from cyber attacks. The government will publish a new national cyber security plan in 2016.
The report said that public sector organisations are particularly “attractive repositories of large personal datasets” and that the change in how public services operate is “creating increasingly complex supply chains and partnership arrangements that multiply vulnerabilities and increase the attack surface”.
Government organisations will need to re-balance business objectives, end-to-end security, and overall governance and risk management to deal with increasing threats, it added.
Read more about cyber security
- Cyber security is well on its way to maturing into a recognised threat internationally, with established ways of managing it, says former MI5 director
- Chancellor George Osborne has promised a £1.9bn investment in cyber security over the next five years and to “aggressively defend” public services from cyber attacks
With an increasing focus on digital technologies, transparency and sharing information, a balance needs to be found between protecting the data and giving access to it, according to the report.
“There are inherent conflicts between giving easy access to information and the requirements to protect corporate data and personal information,” it said.
“Balancing these conflicts is a shared responsibility between security professionals and those promoting digital,” the report added.
The NHS Care.data programme is a prime example of a programme which aims to share sensitive – although anonymised – patient information, but the project has prompted widespread discussion, not just around use, but also on the security of the data.
NHS England has acknowledged there is a risk of patients being re-identified through a jigsaw attack, but has placed strict controls on the release of the information.
“As defences harden in other sectors, the public services and NHS could be viewed as 'softer' targets, unless they continue to adapt and update their security arrangements,” the report said.
Earlier in 2015, the Health and Social Care Information Centre (HSCIC) set up a cyber security service to enhance cyber resilience across health and social care. HSCIC has already begun rolling out the service, with a full launch planned for January 2016.