Under-reporting of cyber crime by businesses means crucial evidence and intelligence about cyber threats and offenders is lost, according to Peter Yapp, a deputy director at the National Cyber Security Centre (NCSC).
“Our role is in general cyber incident management and we are here to help victims of serious cyber attacks, and we want organisations to report these incidents to the NCSC, because we only have a partial picture of the cyber threat world with many still not sharing this information with us,” he told the TechUK Cyber in the digital economy conference in London.
The NCSC also wants greater interaction with UK businesses as part of an “informed, rational debate to improve UK cyber security, which is crucial to national security and prosperity,” said Yapp.
For example, he said, the NCSC wants feedback on the recently-published first version of the cyber assessment framework (Caf) for implementing the EU’s Networks and Information Systems (Nis) directive. “I would encourage you to read it, and if you think there is something that will not work in the real world, please feed that back so we can refine the Caf,” he said.
“We don’t have all the answers, and we need a healthy, flourishing partnership with the private sector,” Yapp told members of the UK technology industry body.
“The NCSC was created to provide a single one-stop-shop for UK cyber security, and hopefully the NCSC’s headquarters in London is an easy place for UK business to visit and collaborate with us,” he said, adding that the NCSC has brought together “unparalleled skills, capabilities and partnerships, and made “enormous strides” in improving and increasing the UK’s cyber capabilities.
“As part of GCHQ, the NCSC has access to some of the most-sophisticated capabilities available to government.”
However, the threat remains real and growing, said Yapp. “Further attacks will happen and there is much more for us to do to make the UK the safest place in the world to live and do business online.
“The NCSC manages national cyber security incidents, carries out real time threat analysis and provides tailored sectoral advice, but we can’t do it alone,” he said, highlighting the need for every part of society to play its part and further underlining the need for greater collaboration with UK business.
Yapp also encouraged UK businesses to join the NCSC-hosted cyber security information sharing partnership (Cisp).
“While a lot of the advice we give out is on our website, we also share specific guidance, threat information, and things that are just too sensitive on our Cisp platform,” he said.
Membership through recommendation
The Cisp is accessible only to UK organisations that have been recommended by an existing member and signed up for free membership.
Talal Rajab, head of programme, cyber and national security at TechUK noted that TechUK, as a member of the Cisp, offers sponsorship to all members of TechUK upon request.
Cisp membership, said Yapp, includes more than 9,000 individuals and more than 4,000 organisations, and is continually growing.
“Since its launch in March 2013, the value of the collaboration has been recognised by industry, and we are seeing around 4,000 visitors a month from members sharing information about breaches, what they have done to get over them, and what has worked and what hasn’t.
“Cisp is a highly useful resource and I would recommend becoming a member to all UK organisations,” said Yapp.