Production Perig - stock.adobe.c
We all watched a few weeks ago as the chancellor set the new Budget, pledging an extra £1bn to boost UK defences, including cyber security. Add to that the proposed internet safety laws and new regulations around the collection and use of personal data, and in many ways we are on the right path to keeping the UK as a safe place to live and do business online.
But it is always worth reminding ourselves, whether we represent government, industry or the individual, of the key part we all have to play in creating the skills, practices and expectations of a safe online and working environment.
The objective of government should be to help create an environment in which industry and individuals are encouraged to expect and deliver good cyber security, and where the UK has the cyber skills and workforce it needs. This can be achieved through the levers available to government – legislation, policy and incentives.
One area where the government is leading on such efforts in the UK is in establishing new “secure by design” measures, encouraging manufacturers to embed security into the design of new technology rather than as a bolt-on or afterthought.
The Department for Digital, Culture, Media and Sport (DCMS) says there are expected to be more than 420 million internet-connected devices in use across the UK within the next three years, with the risk of poorly secured devices leaving people exposed to large-scale cyber attacks.
Such secure-by-design codes of practice, developed by the DCMS and the National Cyber Security Centre alongside industry, are not only key in driving innovation in technology, but in creating trust between government, industry and individuals through the development of products and services that keep people safe.
The role of government is also to set an example. According to EY’s 2018-19 Global information security survey, half of all local authorities in England still rely on unsupported server software.
In the face of emerging global cyber threats, and as the gatekeepers to our essential services, effective cyber security can only be tackled with the relevant technology and training rolled out across public sector departments, agencies and bodies to protect our critical assets.
Cyber security awareness
EY’s survey found that 77% of organisations are still operating with limited cyber security and resilience. Asked what they saw as their top vulnerability, 34% of organisations said careless or unaware employees. This underscores the importance of cyber security awareness and culture as key aspects of the defence against cyber attacks.
So what can be done? Even if the board knows that cyber attacks are on the rise, is it prepared to make the necessary investments in people, processes and technology to tackle these issues? The survey is encouraging in this respect, with 53% of organisations saying they have increased their budgets this year and 65% planning an increase next year.
Despite this, most organisations admit they would be unlikely to step up their cyber security practices or spend more money unless they were hit by a breach or cyber incident. So a breach where no harm was caused would not lead to higher spending for most organisations. The problem is that in most cases, harm has been done – it simply has not come to the surface yet.
But there is an opportunity here. Many organisations now regard emerging technologies as a high priority for business growth, which implies that cyber security could, at last, be designed in. That includes more secure cloud and mobile computing, and also enablers such as cyber security analytics, robotic process automation and machine learning, which can provide early detection, prevention and resilience in the event of an attack.
Ultimately, the role of businesses is to protect their enterprise by building effective lines of defence around their business crown jewels, optimising cyber security by leveraging suitable technologies, and embedding cyber security as an enabler, rather than a barrier, to growth.
Read more about cyber security
- Cyber security: A work in progress.
- Most UK business leaders expect suppliers to be cyber secure and nearly a third of businesses would terminate contracts because of suppliers’ security failings.
- UK government cyber security standard welcomed.
Cyber security is not just a matter for government and businesses – it is up to individuals to be accountable for their own data. We all have a responsibility to recognise that when we post something online, it is in the public domain, often for ever.
In an age when we manage most of our lives online, educating the public to be cautious when it comes to operational security can affect individuals positively, both as employees and consumers.
Finally, it is impossible not to mention the cyber skills deficit. With 30% of surveyed organisations saying they still don’t have the skills they need, cyber security must be promoted more strongly as a growing career path.
Government, industry and the individual all have their role to play in this – government in building the education infrastructure for IT; industry in creating the jobs that will encourage the workforce of the future; and individuals by taking the time to understand cyber security.
More diverse workforce
A more diverse workforce is also needed. According to the Centre for Safety and Education, only 8% of the UK cyber security workforce are women. As a result, we are seeing more partnerships emerge from organisations such as TechUK and Microsoft, as well as our own EY Women in Technology network, that aim to attract and retain more female cyber professionals.
Such initiatives not only create stronger networks between women in cyber, but also encourage others to consider their options in this space. More can and should be done, however.
Demanding more accessible and better cyber security must be a collective effort from all walks of society. Ultimately, effective cyber security is an ecosystem – it requires a careful balance of contributions from government, industry and individuals.
By understanding their unique role, and how they are interconnected, each can help make the UK the safest place to live and to do business online.
Cate Pye is associate partner, UK and Ireland, and security and government cyber lead at EY