The National Audit Office has issued a report criticising the UK government’s approach to cyber security. The report says that the GCHQ dealt with 200 “cyber national security incidents” per month in 2015 and that there were 8,995 data breaches in the 17 largest government departments in 2014/15. This news comes just ahead of the UK government launching the National Cyber Security Centre next month.
IT Security Experts from Digital Guardian, WhiteHat Security, Barracuda Networks, Veracode and Ipswitch commented below.
Luke Brown, VP and GM EMEA, India and LatAm at Digital Guardian:
“Public and private organisations alike have a duty of care, not to mention legal obligation, to protect data. It doesn’t matter if the contents of that data are good, bad or ugly. If you store it, you have to look after it. A simple mistake in handling citizen’s private information could have life-altering effects for those caught in the middle.”
Ryan O’Leary, VP Threat Research Centre at WhiteHat Security:
“It is a step in the right direction for the UK government to invest more money in cyber defence by launching the National Cyber Security Centre. In our experience, money is always better spent in the defence of future attacks rather than in trying to find and abolish the culprits. The issue is not the attackers – they are always going to exist – it’s the system that is susceptible to the attack. Fix the issue and your attacker problem goes away.”
Wieland Alge, VP & GM EMEA at Barracuda Networks:
“It’s interesting that we see many of these damning cyber crime assessments, and yet both the public and private sectors are still not taking the necessary actions to protect themselves and their customers. Many are still ignorant to the fact that everyone has become a target and an astonishing number are surprised that they have been attacked at all.
“That said, modern cyber threats are no longer simple to defend against. The crucial change in recent years has been that cyber criminals are shifting towards more targeted scams and more advanced malware that cannot be detected by traditional scanners. What’s more, the increase in mobility and sheer volume of devices has exponentially increased the potential attack surface. We are in a kind of golden age for digital crime. The business has injected change at accelerating speed into all elements of IT and many organisations are simply trying to keep their security stable. It has become quite easy for attackers to find an unprotected door.”
Paul Farrington, Manager of EMEA Solution Architects at Veracode:
“Coordination is key to improving the government’s “dysfunctional” approach to data security. One way of doing this in in clarifying the remit of the Chief Security Officer. Government departments are unlikely to want to have their delivery agendas interfered with by a Cyber Czar, who may not be perceived as holding political influence. As such, there probably needs to be a financial incentive in terms of budget release for departments to play ball with any Security Officer. That ultimately means that Key Performance Indicators will need to be established to help drive incremental improvement and coherence across Whitehall.
“It’s unlikely that a single initiative can address all the known security problems highlighted by the report. However, it is clear that Britain continues to be weakened by security breaches: citizens lives are impacted and, in some cases, put at risk, when a breach occurs; government and businesses suffer when valuable secrets are stolen and given to outside interests. It is essential that the execution of the government’s security policy begins to match the political rhetoric. A willingness to change is essential and, while securing government may seem an unsurmountable task for some, engaging with the soon-to-be-opened National Cyber Security Centre will be just one way that government departments will be able to call upon expertise in this area. “
Michael Hack, SVP of EMEA Operations at Ipswitch:
“Whilst rules on data protection, privacy and sharing have been in a state of flux in the last year, that’s absolutely no excuse for poor data security policies, procedure and practice in any organisation. Requirements for new data regulation, the GDPR (set to come in to force in May next year) have been very well documented and publicised. Data breaches will need to be reported without undue delay and within 72 hours of becoming aware of it.
“Public bodies strive to be in the headlines for setting standards and best practice, not for failing in their data security responsibilities. Many have invested already in bolstering their IT security and data sharing processes. Government now needs to introduce a cohesive risk management exercise that identifies the key processes and assets, and evaluates their vulnerabilities and potential threats. The results will then highlight priorities for the next stage of the process. The exercise should cover all areas of public sector and should also consider technologies and strategies to mitigate the risks identified.
“Public sector organisations must ensure they have the right file transfer technologies, security systems, processes, and most importantly, staff training. By automating, managing and controlling all file transfers from a central point of control, staff are able to easily send and share files using approved secure methods and the IT department gains complete control over activity.”