What do Tesco Bank, Talk Talk and Northern Lincolnshire and Goole NHS Trust all have in common? An easy question for anyone in the cyber security business – they’ve fallen victim to security breaches.
And a critical report recently published by the Public Accounts Committee (PAC) states that while the threat from cyberattacks has been one of the top four risks to national security since 2010, it’s taken government too long to consolidate and coordinate the 'alphabet soup' of agencies that are meant to be protecting Britain online.
The PAC goes on to provide six recommendations that will increase the UK’s security. Here, I tackle the three I think are the most important.
Create a detailed plan for the National Cyber Security Centre (NCSC)
This advice comes a mere four months after the NCSC was established and it’s already been tasked with taking the lead on protecting government networks, using technology and innovation to automate defences, and taking control of incident response.
These are all huge asks and it’s vital the government doesn’t complicate matters by strangling the process with bureaucracy. My advice? As the NCSC emerges from government into industry, allow it to operate as a business and learn how it needs to effectively support commercial business.
Assess the cost and performance of government information security activities more broadly
Consider this: The UK spends billions of pounds a year on defence, but it’s extremely difficult to quantify the value of security until you’re attacked. It all depends on how you measure value – and this requires an outlook that isn’t focused purely on costs. The same outlook needs to be taken with cyber security.
It’s also worth highlighting that the recommendations only focus on preventing cyberattacks. But it’s naïve to assume you’ll never be attacked or that attackers will never be successful – even if you have the best defences possible. Prevention is just one side of the coin and an organisation’s resilience and ability to bounce back quickly after an attack should be given equal importance.
Whilst the PAC has an important role in scrutinising how government money is spent, assessing the value for money of security initiatives will always be very hard. This should be accepted – efforts to drag cyber security programmes through government value for money assessment exercises will just stifle the innovation needed to tackle this challenge.
Plug the cyber security skills gaps
Up until now, the government has focused its initiatives on undergraduate level and beyond. But with just 10% of pupils taking a GCSE in Computer Science in 2015/16 and less than 1% of A Levels taken in Computing, the focus needs to be on engaging schoolchildren from a young age.
Our annual Raspberry Pi competition aims to do just this. It gives students as young as eight the opportunity to gain hands-on experience of computer programming and engineering. Lessons should also be learned from Israel – a country renowned for its cyber security prowess. The necessary skills are embedded in the curriculum from an early age; both Israeli academia and the military continue to put cyber-security at the top of their priorities, generating a continuous and sustained pool of cyber talent that supplies industry.
Good steps are being made but, as highlighted by the PAC, there’s still lot to do. This is enviable when tackling such an emergent and dynamic challenge. It’s only by taking a different approach across these three fronts that the UK will increase its chances of preventing cyberattacks – and recovering from any attacks it does fall foul to.