UK business should take cyber security seriously, not only because of its risks but also because of the opportunities, according to the National Cyber Security Centre (NCSC).
“UK businesses need to see and grab the opportunities to make progress like never before,” said Alex Dewdney, director for engagement and advice at the NCSC.
As demonstrated by the CyberUK conference in Liverpool, the time is ripe for moving beyond discussions to make meaningful progress in finding new ways to address cyber threats, he told Computer Weekly.
The NCSC believes collaboration is the key, and is itself an embodiment of the government’s strategy to harness British capability across all sectors to establish the UK as a world leader in cyber security.
“It has got to be about people and technology. It has to be collaborative, and we are here to help,” said Dewdney, who signalled the change in government approach at RSA Conference in March 2016.
“We are starting to think about the extent to which government needs to be more interventionist and active,” he said at the time, regarding how it takes on cyber security challenges in collaboration with industry.
Dewdney, formerly director of cyber security at the UK’s national technical authority for information assurance CESG, is now heading what he describes as the “service offering” of the NCSC.
“I run a number of teams whose job it is to get out and about and work alongside organisations [in all sectors] to find ways of improving cyber security for the UK,” he said.
Read more about CyberUK and NCSC
- The need to recruit more women into cyber security has come under the spotlight at CyberUK as a study shows the UK infosec industry has one of the lowest proportions of women.
- The National Cyber Security Centre is unashamedly ambitious in aiming to make the UK the safest place to do business online, which chief Ciaran Martin sees as an achievable goal.
- The UK’s NCSC and NCA publish a joint report on the cyber threats facing UK businesses, outlining the best response strategies.
- The NCSC has the right pedigree to coordinate and balance the cyber security efforts of government, industry and academia, says GCHQ director Robert Hannigan.
Dewdney is determined to break new ground in this regard by covering a broader range of organisations than government has in the past.
The NCSC, he said, wants to go beyond big government departments and public authorities such as health, local government and critical national infrastructure.
“We also want to develop an offering for wider business, for small to medium-size enterprises [SMEs] and even for individual users of technology.
“This is one of the ways the NCSC represents a different approach from what we have been doing in the past. It is about becoming more accessible and relevant to a far wider group of constituencies.”
Working with SMEs
Dewdney said the new “economy and society” team that sits alongside the more established teams will move into the new area of working with SMEs, wider business and the general public.
“We have already put something like 200 items of guidance on our website that is relevant to that sector, and we are starting to build an online portal for SMEs to find relevant help and guidance,” he said.
Because organisations are at different points in the journey towards understanding the importance of cyber security, Dewdney said his teams’ engagements with business will be based on both push and pull.
“Some organisations are saying this is what we have been waiting for. They want to have an easy way of accessing help and guidance from a public authority, while with others we will probably have to ‘push’ more to raise awareness of these issues, so it really depends on the maturity of the sector,” he said.
Engaging with government around cyber security
For organisations that want to engage with government around cyber security, Dewdney said there are more ways of doing so than ever before – all of which are set out on the NCSC website.
“There is also an inquiries line, and we are increasingly putting pointers in our online resources, but clearly there is going to be a limit to the extent to which the NCSC can deal with individual SMEs and users of technology, so a lot of what we do will have to be on a one-to-many basis,” he said.
This includes the NCSC’s work to produce a cyber assessment framework and maturity model for the financial sector that can also be applied more broadly.
“Many organisations would welcome a clear definition of what good looks like in cyber security, and an assessment framework is a repeatable way for each to assess if they are doing enough,” said Dewdney.
Making a plan of action
One-to-one engagements are more likely to be with organisations in the critical national infrastructure (CNI) sectors or with organisations impacted by threats of national significance.
In CNI cases, the NCSC will work with the lead department such as the Department for Culture, Media and Sport (DCMS) for the telecoms sector to agree a plan of action.
“We will get alongside the organisation to understand where the key risks are, what can we do to help mitigate those – which may be advising where to find help in the private sector.
“It is about making sure the risks are understood and that there is a reasonable programme of work put in place to mitigate those risks,” said Dewdney.
However, he emphasised that cyber security is not something that is only for medium to large organisations. “We see instances of very small companies being hit by cyber attacks,” he said.
Dewdney said he expects that providing basic security messages will always be part of the NCSC’s work, especially with smaller companies.
“At the very basic level, there are three key pieces of advice: always back things up, be cautious in terms of emails and websites, and keep systems and software up to date with security patches,” he said.
Building a cyber security ecosystem
At the broadest level, however, the NCSC is working with industry and academia to exchange ideas and capabilities to build what it terms a UK cyber security ecosystem and community.
“Another big part of doing things differently is the NCSC’s efforts aimed at encouraging innovation,” said Dewdney.
“The government is not going to come up with all of the best ideas by itself. The magic happens when get the right people together,” he said.
As part of this effort, the government is developing two innovation centres. One in Cheltenham, which is already helping SMEs develop products, and another planned for London in 2017 to work in partnership with industry to help and grow cyber security SMEs.
“Although the NCSC and the new innovation centre are in London, we are doing far more work regionally than used to be the case,” said Dewdney.
“Part of that is talking to the devolved authorities in Scotland, Wales and Northern Ireland, local authorities, and business groups that are often convened by a local enterprise partnership, which gives us a way of reaching local business communities in a way that we weren’t really doing before. We are a national cyber security centre, so it important that we continue to make that outreach,” he said.