According to various media reports, a ‘category one’ cyber-attack will happen “sometime in the next few years” says a director of the National Cyber Security Centre (NCSC).
- Major cyber-attack on its way
- Businesses need to change the way they think about cyber security
- A switch to risk management and understanding the impact of data loss is vital
- Investing in digital security products should be secondary to a tailored strategy
The NCSC reports to Government Communications Headquarters (GCHQ) and holds responsibility for safeguarding the information security of the UK. It was founded in 2016 to provide advice and support for the public and private sectors in how to avoid digital security threats.
Since its launch, NCSC has dealt with 500 incidents incorporating 470 category three and 30 category two including the WannaCry ransomware attack that crippled the NHS and other organisations in 2017. A category one incident – the most serious and the only one that would require a government response - is yet to occur, but is said to be on its way in the next few years.
Dr Ian Levy is technical director of the NCSC. He believes that businesses, and governments, need to change the way they approach cyber security. Dr Levy says that rather than obsessing about buying the right security products, organisations should instead focus on managing risk; understanding the data they hold, the value it has and how much damage could result should it be lost.
Dr Levy’s advice was issued in the wake of a major cyber breach at US data broker Equifax which resulted in the loss of more than 130 million personal records of American citizens. The data stolen included names, addresses, dates of birth and social security numbers; basically everything required to steal a person’s identity. The attack also saw 400,000 British residents affected and, whilst the information stolen was less personal (names, dates of birth, email addresses and telephone numbers), it still represented a very serious breach.
The words of Dr Levy cast a very worrying cloud over the state of the nation’s security infrastructure, particularly as he has stated that it will take a category one incident in order for changes to be adopted, because only an attack of that seriousness would call for a government inquiry or independent investigation.
“Then what will really come out is that it was entirely preventable… It will turn out that the organisation that has been breached didn’t really understand what data they had, what value it had or the impact it could have outside that organisation,” said Dr Levy.
Dr Levy recommends that organisations looking to avoid being affected by a major security breach should turn their attention to looking at what could actually happen.
So, instead of purchasing off-the-shelf remedies that have not been designed for the very people who work at the core of the business and handle sensitive data on a daily basis, rather for the technical personnel that control the IT, companies should look towards their workforce when planning their cyber security solutions.
Understanding what could potentially happen should the particular data held get into the wrong hands is the place to start. Following this, an assessment must be made of the impact the loss of such data would have across the organisation and of course, those whose data had been stolen. Lastly, an education programme for every member of the organisation who is likely to come into contact with the data is essential.
If organisations - and this means their entire workforces -do not understand the value of the data they hold and the potential damage that could result from a breach, there is no point investing in protective software or technical solutions. In any case, a security solution must ALWAYS be fully tailored on an individual basis, which is why these assessments and education programmes are vital.
Your company’s cyber protection strategy should begin with a bespoke cyber security review. Why not request yours from the dedicated team at IQ in IT today?