The head of the UK’s National Cyber Security Centre (NCSC) has urged organisations to ensure they understand cyber risks, as a survey reveals mid-sized firms have inadequate cyber protection
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
The most important thing leaders of organisations can do is to stop being afraid of the problem and try to understand it, according to Ciaran Martin, chief executive of the NCSC.
“For too long, cyber security has been shrouded in mystique and fear – that’s not helpful,” he said in the annual KPMG lecture, hosted by Queen’s Management School and the Chief Executives’ Club at Queen’s University Belfast.
“Attacks are about return on investment, and cyber defence is about risk management and harm reduction,” said Martin.
“When you put it like that, it doesn’t seem so completely daunting. There’s plenty we can do to manage the risk. So simplify, simplify, simplify. Understand the risks and take action that you understand to manage them,” he said.
Digital attacks are a real risk to economic wellbeing in Northern Ireland and its citizens, warned Martin, because they can cause widespread disruption to individuals, companies and public services.
“There’s some great work going on around Northern Ireland, for example at Queen’s, and we need strong partners across the whole of Northern Ireland society to combat the threat. That’s the way to make Northern Ireland one of the safest places to live and do business online,” he said.
Facing the challenge
Given that cyber attack is about return on investment (ROI) for the attacker and risk management for the defender, Martin said the NCSC’s job as the national authority for cyber security is to do what it can to help take away as much of the harm from as many of the people as often as possible.
“Doing that isn’t as glamorous as Hollywood makes out. Instead, it’s about a relentless focus on getting these basic defences right,” he said, adding that defences have to be useable by people.
“By focusing not just on technology, but also on behaviours and economic incentives, the government can help create the right framework where that improvement in basic cyber security can take place.
“Success is possible. We are not claiming that we’ve cracked the problem. I’ve already said that we expect serious attacks with significant public impact, but that doesn’t mean we can’t make progress.
“In the 12 months to September of this year, we saw a 47% increase globally in detected phishing attacks. But the UK’s share of those attacks fell from 5.1% to 3.3%,” he said.
By breaking the problem down into manageable chunks, and looking objectively at what is and is not working, Martin said some improvements can be achieved.
“Please don’t let anyone tell you that the problem is unfixable, or that the right skills can’t be developed. Skills are indeed a very significant challenge, but there is no reason at all we should see it as an insurmountable one,” he said.
“My final message to you as chief executives is that the most important thing you can do is not to be afraid of the problem. Work out what you care about protecting the most, treat it as you would any major corporate, and engage with us and with other partners to work out what the best protections are for you. Cyber security is a team sport and we should be optimistic about our ability to make a real difference.”
John Hansen, partner in charge, KPMG in Northern Ireland, said KPMG’s recent CEO outlook report revealed that cyber security is a key issue for business leaders in Northern Ireland.
“CEOs are moving beyond a generic view of cyber risk and are taking steps to become more cyber resilient by developing risk, resilience and mitigation plans in the parts of their business that could be most seriously affected,” he said.
Nola Hewitt-Dundas, head of Queen’s Management School, said: “Cyber security threats are fast becoming a major global and national issue for all organisations and businesses.
“This annual lecture series is one way that the Management School is working in partnership with KPMG to equip businesses to respond to serious technological challenges,” she said.
Seek out dedicated teams to fight cyber crime
The survey revealed this is not due to lack of investment in technology, but through a lack of the dedicated, skilled resource needed to make the most of those tools.
The survey of 100 IT decision makers shows that 72% have implemented a security and information event management (Siem) system, which combines data sources and presents security-related information in an accessible form. Organisations also regularly refresh other security systems, such as firewalls, which 83% of respondents had replaced with more modern technology in the past three years.
However, only 4% had staff dedicated to monitoring, analysing and reporting security information created by a Siem or other sources, and only 6% had staff dedicated to acting on security reports.
With day-to-day security management falling to multi-tasking, generalist IT resources, the survey report said it is not surprising that just 19% of organisations monitor all IT logs that might contain security information. When potential threats are identified, only 13% of organisations are communicating the intelligence to someone able to deal with it.
“Many organisations must be spending a lot of money on the latest technology and then failing to recruit the people they need to use it,” said Merlin Gillespie, group strategy director at CORETX.
“Analysing live data feeds to identify cyber attacks is something general IT staff are unlikely to be appropriately skilled for. It’s also a relentless task. There’s a lot of data to analyse and cyber criminals don’t respect nine-to-five working patterns. Non-specialists may struggle to be consistently effective at the level required, which seems to be born out in our survey results,” he said.
Three-quarters of survey respondents said their organisations had recently fallen victim to a cyber attack, with 40% occurring in the past year.
“It’s clear that many organisations’ security practices leave very large gaps in their protection,” said Gillespie.
“In our view, creating actionable intelligence on the threats organisations faces can only be handled by a dedicated team. A business can either recruit and support that function in house or outsource it, engaging a service provider that specialises in security. Whatever option is taken, the result can only be significantly more credible protection,” he said.