News & Media

The UK launched its new Cyber Security Strategy last week, announcing its aims to make the UK “the safest place in the world to do business”.

It’s been five years since the last strategy which promised an investment of £860 million in UK’s cyber defence, and the Government has now committed £1.9 billion to a five-year strategy which outlines plans to “make Britain confident, capable and resilient in a fast-moving digital world”.

For the first time, the Government has announced offensive capabilities, the use of intelligence agencies in deterring crime and the use of regulatory steps and investor networks to give rise to better security in the business world.

The context

The strategy launches to a backdrop of increasingly sophisticated attacks which are capable of paralysing critical services such as telecommunications, hospital access and banking.

A growing area of concern is that our increasingly connected world through the Internet of Things (IoT) provides a huge resource for cybercriminals. IoT devices (physical objects that connect to the internet and communicate with other devices by sharing data), such as smart-fridges, car computer systems, smartphones and webcams are easy targets for hackers.  Cyber criminals can now craft attacks with unprecedented sophistication using information not just from public networks, but also from these connected private sources. These types of interconnected structures are then used to generate distributed denial of service (DDoS) attacks that are easy to leverage and efficient in their aim of taking a website offline. Most recently, we have seen an attack of this nature against DNS service provider Dyn, which brought down several major websites in the USA including CNN, Reddit and Twitter.

Worryingly, the National Institute of Standards and Technology (NIST) recently released a study which uncovered that people have reached security fatigue. The effort of remembering so many passwords, the constant alerts for new threats, ever-changing security measures and increased difficulty of accessing accounts are making people weary of using online services. Most give up on security altogether, with findings showing that “many interviewees” did not think their information was important enough to be hacked.

The study also found that the public place responsibility for online security with authoritative figures such as banks, online retailers and healthcare institutions, as we have seen from the public outrage over the Talk Talk data breach in 2015 and the recent Tesco bank hack. As a result of these organisations not looking after sensitive information properly, customers have been driven away, businesses have lost shares and reputations have been ruined.  

The strategy

The strategy, announced last week by Chancellor Phillip Hammond, acknowledges previous efforts made by businesses to implement better security, but declares that “the cyber threat impacts the whole of our society” and encourages everyone to play a part in our national response, with individuals, businesses and public and private sector organisations set to take a more prominent role in driving change.

For the public, the Government intend to “harness ‘trusted voices’ to increase the reach, credibility and relevance” of the cybersecurity message and encourage people to engage with their individual responsibility to stay safe online.

As for businesses, there is a more assertive stance: “for businesses we will work through organisations such as insurers, regulators and investors which can exert influence over companies”. The European General Data Protection Regulation (EU GDPR) is one of the regulations mentioned as a lever to drive up standards of cyber security across the economy.

The EU GDPR is set to become law in under a year and affects every organisation that deals with EU residents’ personally identifiable information (such as name, location data – which includes IP addresses and cookies, and any other information specific to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual person). Regardless of the outcome of Brexit, the UK will still be subject to the EU GDPR as it aims to conduct business in the European space in a safe and compliant manner.

Other measures outlined in the strategy include:

• Incentives such as investment in innovation and start-ups
• Intelligence, research and sharing threat information with relevant industry representatives
• Setting up the National Cyber Security Centre (NCSC) as a unified source for analysing and understanding threats, offering advice and acting as the public face for Government’s actions

These commitments set the context for the National Cyber Security Strategy 2016-2021, making it clear that government and industry must find ways to make cyber security usable, while protecting the trust people place in authoritative institutions to keep their sensitive information safe.

We all have a part to play

The strategy places greater emphasis not only on business responsibility, but also individual citizens. With technology playing an increasingly significant role in our daily lives, we are all at risk of a cyber attack. The government has committed to lead the way when it comes to promoting better ‘cyber hygiene’ and with the majority of cyber attacks succeeding because of human error, there are basic steps we can all take to reduce our exposure to potential cyber harm.

The UK Government has introduced the industry supported Cyber Essentials scheme to help you put basic cyber security controls in place and help defend against common internet-borne threats. Implementing these measures can significantly reduce the common risks your face and it provides a good foundation of basic cyber security.