Is the NCSC doing enough to protect us from today’s cyber threats?

In its annual review, the National Cyber Security Centre reported preventing a total of 79,567 attacks. But how successful has the organisation been and what else can it do to help safeguard the UK? David Warburton discusses

The digital sector is now worth over £118 billion annually to our economy and the cyber security stakes are higher than ever. The UK government is on high alert, having launched the National Cyber Security Centre (NCSC) a year ago to position the UK as the ‘safest place in the world’ for online engagement and business. Working with private, public and other specialist organisations, its purpose is to provide accessible preparatory and mitigative guidance and support.

As a statement of intent, the initiative, which is part of a wider £1.9 billion cyber security investment, has prompted much action and discussion. It is also ahead of the pack in many respects, preceding similar moves in both the US and China. But how successful has the NCSC been to date? What else can be done to safeguard the UK against a relentless cyber security onslaught?

A year of cyber aggression
In its annual review, the NCSC reported preventing a total of 79,567 attacks. 590 were classified as significant, including incidents related to key national institutions like the NHS and the UK and Scottish Parliaments.

Over the past year, it has produced over 200,000 protective items for Armed Forces communications. Its Cyber Security Information Sharing Partnership (CiSP) with industry grew by 43 per cent. Following the WannaCry ransomware outbreak, there were over 23,000 visitors to the NCSC’s online platform, including 15,000 during the first weekend. Other notable achievements include the Active Cyber Defence programme, which claims to have helped reduce the average lifetime for a phishing site hosted in the UK from 27 hours to less than an hour.

The NCSC’s work is clearly a strong step in the right direction and its remit is continually expanding. As it evolves, it is important to build on its collaborative momentum, sharing best-practice, as well as strengthening its governmental and industry-specific alliances on a global scale. Looking further ahead, it also needs to do better to catalyse the notion of ‘security by design’ and, crucially, substantively address a growing skills-gap.

Implementing security by design
All-encompassing security must entail the rollout of a long-term strategy, specifically and sustainably structured to safeguard the future. A reactionary band-aid for the present is no use to anyone. New findings from the Ponemon Institute have yet again emphasised that the cost of a breach inevitably eclipses the cost of protection.

Security by design means all operating systems, browser software and apps must be explicitly designed to safeguard against the latest threats. There is hope that the NCSC will ramp up its direct work with organisations to encourage proactive approaches to security. Cyber security threats are broad but also idiosyncratic - there is no on-size-fits-all to staying safe.

It all starts with understanding the risks, including independent security testing and seeking consultancy from expert third parties. IT teams must evaluate where data is stored and ensure networks are built with security at the heart. Security architects and risk owners should assume that devices will get compromised and determine how best to segregate data in the event of a breach. Automatic device and system updates are vital, as is the constant monitoring of all user activity to spot anomalous behaviour. Setting a minimum-security requirement, as well as educating students and staff on safe password etiquette, should also be mandatory.

Internal awareness-raising is another top priority. Employees are often the weakest link in an organisation’s defence. IT security is everyone’s responsibility and it cannot be left to a small team of experts. For many, it will involve behavioural changes and cultural shifts. The NCSC needs to help bring about these step-changes on a wider scale.

Tackling the skills shortage
Globally, we are facing a chronic cyber security skills crisis. According to the Center for Cyber Safety and Education’s 2017 Global Information Security Workforce Study, Europe will by understaffed to the tune of 1.8 million skilled professionals by 2022 – 15 per cent higher than predicted in 2015. No matter how advanced technology becomes, security teams will struggle to keep up with increasing threats if the talent pool remains limited.

Collectively, government, education and industry need to take more responsibility for helping young people to channel their talent and choose a career in cyber security. Education must prepare students early by treating digital skills with equal importance as other core subjects. Meanwhile, college and university courses need to offer the right balance of knowledge and practical application of skills to cultivate a future workforce ready to tackle real world threats.

Teachers also require better access to resources to bring the subject matter to life. Businesses have to take responsibility too and offer a wider range of internships and programmes to provide relevant, real-world experience, including mentoring from cyber security professionals.

Defending our future
The NCSC is not a cyber security panacea, but it is certainly an effective initiative and reminder for all organisations to drive change. While we need stronger policies, collaboration and resources from the top, organisations cannot afford to remain idle and expect to be hand-held to safety. Cyber security is a collective responsibility. Threats will be bigger, more complex and unpredictable in 2018. Now is the time to build security into every juncture of design, process and online interaction. Now is the time to leave no stone unturned in the hunt for the best talent.

David Warburton is Senior Systems Engineer for Government and Defence at F5 Networks.