IA15: Public trust in networks and data depends on security

IA15 UK Government's Cyber Security and Information Assurance event

 

 

 

 

 

 

 

Ascentor’s Steve Penny and Paul Trethewey attended the IA15 event in London on the 9th and 10th November where Ascentor was also an event sponsor. Hosted by GCHQ, it was HM Government’s principal event for briefing the UK’s information security leaders. In a year that has seen bigger and more frequent security breaches, the event focused on a topic at the core of Ascentor’s work – the implementation of effective cyber security in our public services.

This high level event drew a number of prominent speakers from government, academia and industry. We were expecting to hear high calibre and thought provoking debates, and that’s exactly what we got, starting with the opening keynote address by Matthew Hancock, Minister for the Cabinet Office and Paymaster General.

Constant and relentless attacks

Describing cyber attacks against the UK Government and businesses as “constant and relentless,” his speech illustrated the scale of the information security threat as we near the end of 2015. While the high profile security breaches like Sony, TalkTalk and the US Office of Personnel Management make the headlines, he said the Government’s secure internet was also under attack, with on average 33,000 malicious emails being blocked at the gateway every month. “This is what we don’t hear about” he said, but we have to make cyber security a “core responsibility.”

Each cyber attack comes with organisational costs and economic damages which, according to Hancock, are spiralling upwards. He quoted the cost of an average hack on a big company as £1.5 million, up from £600,000 last year. He also suggested that we aren’t getting the full figure as 70% of UK businesses didn’t disclose their biggest security breach in the past year.

Matthew Hancock also shared an opinion, long held by Ascentor, that cyber security and the associated risk is now far more than ‘just’ an IT issue.

“As digital progress has grown, so have the risks and this is no longer an issue for the IT department; it is a Boardroom issue and a Cabinet table issue.”

Matthew Hancock, Minister for the Cabinet Office and Paymaster General

Public trust and ageingnetworks

Trust was a recurring theme across IA15; in the opening address and in several other presentations. Robert Hannigan, Director of GCHQ, stressed that citizens need to be able to trust government to keep their data safe. Reflecting on an earlier government data loss in 2007 when 25 million records of parents in receipt of child benefit went missing, he said “data loss can be so corrosive to trust in public services.”

“Government doesn’t work properly if citizens don’t trust it to keep their information safe, and we must never forget that.”

Robert Hannigan, Director of GCHQ

Robert Hannigan also talked about how concerns about cyber attacks have migrated from the security world into the public domain, risking confidence in the digital world. “I am struck by the increasing concerns people have in everyday life about cyber threats. There is an increasingly sophisticated understanding in the public realm that cybersecurity affects everything they do.”

And yet, as Matthew Hancock explained, many of the successful attacks on government systems are made possible by exploiting its out of date technology.

“Some of our legacy systems were designed even before the invention of the web. Security therefore had to be bolted on top rather than built in as an intrinsic part of the system.”

Matthew Hancock, Minister for the Cabinet Office and Paymaster General

This quote struck a particular chord and resonates with Ascentor’s ‘IA Inside’ thinking on Information Assurance. We believe that IA must be built in at every stage of a project in a full lifecycle approach, similar to the principles of Total Quality Management. However, the reality is that we see examples where Information Assurance isn’t integral to working practices and systems – often because it’s not thought about in the planning stages.

IA Inside Model by Ascentor

IA Inside Model by Ascentor

In our experience, organisations often pay lip service to it or add it as an afterthought. In major public projects, especially ones that involve sensitive information, and therefore relevant to many attending IA15, this is just not acceptable.

As the Government is now phasing out ageing technology and instead building what Matthew Hancock described as “agile and adaptive systems that allow us to respond rapidly to threats,” this is an opportunity to build in robust IA in at every stage of these new projects.

To find out more about Ascentor’s approach to Information Assurance, please see our article IA Inside – building Information Assurance into the heart of your projects .

Cyber security skills gap

Another hot topic on the agenda at IA15 was the skills shortage in the cyber security sector. Matthew Gould, Director of Cyber Security and Information Assurance at the Cabinet Office, said the skills gap “needs to be addressed between schools and universities” while Robert Hannigan said that developing enough skilled people was “one of the biggest challenges for the UK in cyberspace in the years to come,” adding that “whatever else we do, we must not take our eye off skills.”

“The global shortage of relevant cyber skills is set to get worse over the next twenty years unless radical action is taken.”

Robert Hannigan, Director of GCHQ

With each widely publicised breach, the demand for qualified cyber security professionals only increases. That’s why we discussed the issue in a recent blog, looking at the predictions and exploring how the cyber security sector might better attract the talent it needs now and create a pipeline for the future. You can read more in our article The cyber skills shortage gap – taming the perfect storm.

The Insider Threat

We’ve noticed that the ‘Insider Threat’ to information from people within an organisation has rarely been out of information security press across 2015. It wasn’t a big surprise, therefore, to hear it mentioned at IA15.

Mike Stone, Chief Digital and Information Officer MOD talked of the need to deter the Insider Threat and Peter Davies of Thales, speaking in the ‘Different Aspects of Cyber Attack’ talk, described how employees can be targeted for up to 4 years so they could be the “Insider Threat of the future.”

Back in July 2012, Ascentor published our own research into employee behaviour and how it relates to Information Risk. We’ve also recently re-visited the topic, comparing our findings with more recent research on The Insider Threat. If you’d like to find out more, please see our article The Human Face of Information Risk Re-visited on our blog. This article also contains links to recent Insider Threat research by Vormetric and Intel.

The greatest challenge to information security?

As we reflect on IA15, perhaps the greatest challenge to information security can be found in a one line quote from Robert Hannigan. “As we all know, the Internet is an inherently insecure environment because it was not designed- insofar as it was designed at all- with security in mind.”

He then posed a challenge for academia, industry, and for government. “If over time, it became possible to build in structural features which would allow more automatic protections from basic attacks for those who wanted them, while preserving the free and open nature of the internet, – that could have the potential to be truly transformative.”

It’s a challenge that Ascentor is committed to playing our part in. We’ll see you at IA16.

For further information:

If you have found this article of interest, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.

If you’d like to discuss how ourconsultants could advise on any aspect of Cyber Security and Information Assurance, please contact Dave Jamesat Ascentor.

Email: [email protected]

Office: 01452 881712

Web: ascentor.co.uk


Other posts you might like:

Ten Top Tips for writing Information Risk Appetite Statements

What’s the Difference Between Cyber Security and Information Assurance (and does it matter?)

Which cyber security breach could cause you the most pain this year?