Cyber security and resilience across the UK economy - policy priorities for supporting businesses of all scales, securing consumer devices, and responding to COVID-19

Cyber Security has been a big deal for the past few years and the more we become reliant on the internet to communicate, do business and socialise, the more we are at risk to cyber attacks and hacks. Our lives are becoming increasingly connected with the Internet of Things, smart devices, smart cities and digitally connected communities providing more opportunities for scammers and hackers to infect our systems, steal our data and hold our devices to ransom for handsome fees.

No matter how safe we believe we are an attack can occur any time, when we least expect it and from the outset of the Westminster conference hosted by eforum on Friday 30 October 2020, it was evident that all presenters believed that building resilience was the the most important strategy as it was difficult to build fully cyber secure systems. Due to the dynamic and fast pace of the issue, focusing on supporting businesses to learn how to bounce back after an incident with minimum loss or impact was deemed as a key priority.

With a mass shift to using the internet to continue working following the disruption caused by COVID-19 more people were more reliant on working online more than ever before leaving them exposed to a range of cyber attacks and crimes. Professor Prashant Pillai, Professor of Cyber Security and Director, Wolverhampton Cyber Research Institute, University of Wolverhampton provided examples of the types of activity occurring following the pandemic outbreak, including:

• 700% increase in malicious websites
• Increase in HMRC, government and WHO disruptive communications
• 2000% increase in malicious zoom links sent by phishing emails
• Fake job applications
• Fake charities
• Payment frauds
• Fake news with over 6 billion covid-19 assets published online making it difficult to identify which ones fake or true.

Professor Pillai also highlighted the psychological impact of covid-19 on people who had been forced to work in ways that they had not done before. He explained that heightened stress and anxiety levels leading to more distractions made a lot of people more susceptible to being socially engineered and emphasised this point by stating that they ‘would end up clicking the link because those phishing emails looked so real and you didn't have the time or you were so anxious that you just went on with it’.

As a large business that supports critical national infrastructure, provides services to over 30m UK customers, feeds into the development of new technologies such as 5G, security and resilience are fundamental to BT. With such huge responsibilities, Alex Towers, Director of Policy and Public Affairs, BT, pointed out that skills, R&D and infrastructure are the key policy priorities for the next 5 years.

Presenting the risks and consequences of a cyber attack on healthcare systems and the need for instant response and recovery plans, Dr Saira Ghafur, Lead for Digital Health, Institute of Global Health Innovation, Imperial College London presented the case of a ransomware attack on a hospital in Germany  that could lead to the ‘first death as a result of a cyber attack’. German authorities have started investigating whether there was a direct link between the attack and the death, with the hospital likely to be investigated too.

Considering the impact of death following a cyber attack on a hospital’s system, Dr Ghafur called for more awareness, education and minimum requirements for cyber readiness across all hospitals stating: add quote here -

The issue of cyber attacks against democratic processes and critical national infrastructure was brought up by Simon Staffell, UK Government Affairs Manager, Microsoft UK whilst presenting findings from the Microsoft Digital Defense Report, September 2020. 

Simon also explained how cyber crime follows the headlines of the day as illustrated below, where covid-19 themed malware attacks started popping up once the news of the pandemic broke in the UK.

Both Professor Pillai and Simon Staffell spoke of the issues faced by Cyber security professionals working within organisations where their scope of work changed dramatically from working within on-site, in office infrastructures to remote workplace scenarios. Identifying and containing breaches was made harder by the working from home situation and has led to businesses and organisations having to review and adapt their security operations. Notably how to secure systems when people are working from their own laptops and desktops and using a range of software has now become a key issue to find the right solutions for.

According to the Federation of Small Businesses (FSB) survey outcomes, Cyber Crime was listed in the 3 top issues faced by SMEs along with theft and burglary. The most common cyber crime incidents for SMEs were phishing, fraudulent payments and malware with an average cost of over £7000 per business across 2 years. The coundrum faced by most SMEs is the need to adopt digital technology to increase productivity, which then leaves them more vulnerable to cyber crime.

In presenting the case for supporting SMEs Sonali Parekh, Policy Director, Federation of Small Businesses, called for more investment in helping SMEs build cyber resilience whilst encouraging digital adoption. Sonali also advised that SMEs need to be dynamic in their actions in relation to how dynamic the threat landscape is.

Although the National Cyber Security Centre (NCSC) has created a range of services and resources to support the public sector there is still a lot to be done especially as local authorities handle their own cyber security operations on limited budgets.  Hackney’s hack attack  and Redcar’s ransomeware attack has left the former experiencing weeks of disrupted services across the board and the latter losing £10m. These incidents provide clear cases of how vulnerable local authorities are and how they need to be prioritised and supported to build their resilience against cyber crime. Speaking on behalf of the NCSC Victoria explained that LAs need to move to the cloud asasp which is something that they are behind on.

A 5 stage cyber readiness program, presented by Kiersten E. Todt, Managing Director, Cyber Readiness Institute and former Executive Director, Presidential Commission on Enhancing National Cybersecurity, provided clear steps on what senior organisational leaders need to do in this area.

The main focus of the program is human behaviour and through working with a range of global companies, the program has helped develop cultures of cyber readiness, secure franchises’ brand and reputation as well as integrate cyber readiness content into supply chain offerings.

Cyber security, cyber resilience and cyber readiness need to be moved up the priority list on all business and board agendas. Asset audits and assessments, business continuity and disaster recovery plans incorporating offline and backup strategies are essential as well as ensuring that the plans actually work by testing them using simulated exercises. All systems from desktops, mobile devices to networked and wireless connectivity need to be regularly reviewed and updated to ensure vulnerabilities are minimised. Most importantly, staff, teams, suppliers and all human resources need to understand how their actions and behaviours whilst using the internet can affect a cyber incident. They should also be encouraged to buy into a culture of security and resilience when at work but also in their personal lives, especially if working from home is to become the ‘new norm’ for some.