It has been reported that UK businesses must start taking cyber crime more seriously and do more – including working more closely with the Government – to protect themselves, the Chancellor of the Duchy of Lancaster has said. Nadhim Zahawi, who is also the lead minister for cyber security, said companies must stop thinking of cyber security as “an issue just for company IT departments” and treat it as a business priority. Mr Zahawi’s comments come as figures show 1.6 million people were victims of cyber crime in the UK last year, with tens of thousands of businesses also targeted. Government research shows that only 23% of firms have a cyber security plan. The National Cyber Security Centre’s Suspicious Email Reporting Service has received more than 13.7 million reports since it was launched in April 2020, leading to the removal of more than 95,000 scams.
Businesses must do more to boost cyber defenses, says Nadhim Zahawi
Businesses must do more to boost cyber defences, says Nadhim Zahawi | Evening Standard
Gone are the days where only government departments or large organisations such as banks were targeted by cyber criminals. Today, we see organisations of all sizes and across all verticals being targeted equally. And with the dependency on technology, no one is immune to the impact it causes. From that perspective, Zahawi is correct that organisations need to do more to protect themselves from cyber attacks. Particularly small or medium ones which may not know where to start from, or feel overwhelmed by the amount of attacks. The Cyber Essentials scheme by the NCSC is a good starting point for most organisations. Other than that, it’s important to look at the root causes for most of the cyber attacks. These break down into three common themes. Social engineering such as phishing, credential compromises, and exploiting unpatched systems. By putting in place controls to address these three root causes, many organisations can avoid becoming victims of cybercrime.
New cyber mandates without means won’t help and risks bayoneting the wounded. What is needed is both mandates as well as incentives and enablement. It takes more than a stick or even a carrot to get a change. It also takes a feasible plan and resources that are attainable for the large parts of the market that today can’t be reached even with the best of intentions. For all organisations, please tackle cyber early and often. Letting it simmer is a recipe for disaster, so any program that gets ahead of the problem is going to be of tremendous value to citizens, businesses and public safety. Overall, I’m not surprised seeing statistics showing such a low number of organisations having strategies and plans in place to combat cyberattacks. Because after all, the majority of companies are small and medium sized businesses and they often don’t have the slack in the business plans to pay a hefty cyber tax with dedicated personnel, specialised tools and services and so on. Providing them with qualified advice, efficient resources and simplification instead of padding the pockets of expensive consultants and so on is incredibly valuable. The Cyber poverty line is real and much higher in the corporate world than many realize. Cyber should be more affordable and achievable to vastly more companies.
Addressing the spiralling costs and disruption of cybercrime is a nationally important topic. This announcement from the government is focused on the challenges of today, helping businesses to boost their defences and cyber response. The government is also engaged with industry to better balance responsibility across the supply chain, whether through the consumer protections from the PSTI bill, or through technology advancements such as the Digital Security by Design programme that should block around 70% of the ongoing software vulnerabilities from exploitation by cyber criminals.
Improved cyber defences are more than just stronger firewalls or better educated employees. Mitigating exposure to the business risks inherent in our distributed digital economy requires that all parties involved create, and maintain, an accurate accounting of where the software they run originates from, what data it processes, retains, and might transfer to a third party, and who has access to data and under what conditions. These concepts are all part of what’s known as a software supply chain or cyber supply chain. As one might expect, software supply chains are only as resilient as the weakest component. Should that weakest component fail, then any organisations downstream of that event are exposed to increased risk – whether they knew about their reliance upon that failure or not. Addressing the business risk associated with software supply chains requires organisations first identify all the software they depend upon and then create an inventory of what are known as dependencies within that software. A dependency could be a third-party cloud service, but it could also be a piece of open source software that was freely downloaded from the internet. All software and all dependencies were created with a set of assumptions as to how the software would be deployed and its against those assumptions that any security testing was performed. Any discrepancy between the way software was tested and the security requirements of your organisation represents a potential exploitable weakness.
Cyberattacks cost the UK economy millions if not billions of Pounds a year and pose a threat to individuals and organizations. Small and medium-sized organizations are especially attractive targets because they have information that threat actors want, and they typically lack the security infrastructure of larger businesses. But it is imperative that all companies, regardless of their industry or size, strengthen their cybersecurity posture.
Here are some practical steps companies can take: start by learning about common cybersecurity best practices, understanding common threats, and dedicating resources to address and improve your cybersecurity posture. Protect your enterprise data not just with enhanced perimeter security but with data-centric security such as tokenization applied directly to that data. Beef up your disaster recovery plan and capabilities. Institute a stronger culture of cybersecurity within your organization that values care and caution over speed and velocity of operation (considering that social engineering tricks are a prime vector of attack), and lastly reduce any implicit trust of an entity or user based on location within the network down to zero: challenge, verify, and challenge again. While it may take a lot of energy for your organization to stay prepared, the alternative could be a complete blackout of your operations.