Prompted by the forthcoming Comprehensive Spending Review, discussions have already started about the UK’s next cyber security strategy. The 2016-2021 National Cyber Security Strategy still has two years to run its course, but since its launch the cyber threat to the UK has evolved and in turn the response from government, industry and society has matured.
The Department for Digital, Culture, Media and Sport (DCMS) just released its 2019 Cyber Security Breaches Survey, outlining the current challenge facing businesses and their response. Notably, around a third of businesses in the last 12 months reported having cyber security attacks, with larger businesses inevitably a more tempting target. Fortunately, however, this is a dip from previous years, going down from 43% of businesses in 2018 and 46% in 2017. Regrettably, the financial costs from such incidents has only risen since 2017, from an average cost to a business escalating from £2,450 to £4,180 in 2019.
The survey presents a mixed picture in terms of the current cyber threat, and it is a similar story when it comes to the response from business. 78% of businesses now say that cyber security is a high priority for their senior management, up from 69% in 2016. In addition, over a half of all businesses have now implemented technical controls to meet the Government’s Cyber Essential Scheme. Still, the survey highlights that there is still much to do, particularly when it comes to the supply chain – only one fifth of businesses require their suppliers to adhere to any cyber security standards.
Given the pervasive nature of the cyber threat, it has understandably caught the eye of politicians. At the Public Accounts Committee this week in Parliament, the head of the National Cyber Security Centre (NCSC), Ciaran Martin, was grilled on the UK’s approach to cyber security, following the release of a critical report by the National Audit Office (NAO).
Mr Martin noted that the national cyber threat falls into two broad categories: complex, malevolent state actor threats and unsophisticated high-volume cyber-crime. The NCSC’s main goal has been to tackle the low-level cyber-crime through technical, automated interventions such as the Government’s Active Cyber Defence programme, so that the Government can then focus its specialist efforts on the strategic threat from state actors. He also highlighted that the UK is now taking a more interventionist approach to cyber-security, moving from a hands-off approach of information-sharing to a single approach to incident management, backed up by directed advice for businesses.
It is recognised by much of industry, including the sectors that ADS represents, that cyber-security is a major priority and ADS’s Special Interest Group, the Digital Information and Systems Integrity Group (DISIG), will continue to work on making our sectors safer in the cyber-space in partnership with the NCSC and other bodies.