SECURING THE UK S DIGITAL PROSPERITY Enabling the joint delivery of the National Cyber Security Strategy's objectives 02 November 2016
2 SECURING THE UK S DIGITAL PROSPERITY SECURING THE UK S DIGITAL PROSPERITY Enabling the joint delivery of the National Cyber Security Strategy s objectives The latest National Cyber Security Strategy (NCSS), sets out the UK s five-year plan to enhance resilience against a range of cyber related threats. It is more comprehensive than its predecessor and has a robust set of objectives. It builds on the foundations successfully laid in the previous strategy, through its key themes of deter, defend and develop and also includes a new recognition of the need for further development of the UK s cyber skills. The scope of the strategy has been broadened to include the UK s wider cyber landscape, and makes a commitment to a number of Active Cyber Defence measures to reduce the impact of high volume cyber attacks. The strategy also acknowledges that objectives from the last five years have not been met at the pace anticipated, particularly where there had been a reliance on the market. This reliance continues and there is a risk of history repeating itself unless a different approach is adopted. This approach should focus on joint action and shared responsibility to successfully implement and embed the changes outlined in the strategy. That means both topdown action from government and bottom-up pressure from industry, investors and the public. This effort should focus on three key elements: 1. Elevating the importance of cyber risk 2. Driving collective innovation 3. Embedding cultural change. We explore each of these in more detail.
SECURING THE UK S DIGITAL PROSPERITY 3 Elevating the importance of cyber risk Today 88% of FTSE 350 companies have cyber security on their risk registers. 1 Despite this, there is evidence that this risk is not always managed appropriately until the inevitable failure happens 2. There is also a risk that many organisations boards may now believe that the new national strategy provides sufficient protection against cyber attack and reduces the need for them to act. This is clearly not the case and boards must play their part in strengthening their own organisation s defences. This includes acknowledging that responsibility for managing cyber risk does not just rest with the IT department but requires the whole business to engage in this work. Boards then must make sure they have a clear understanding of the value of their digital assets, the financial and reputational impact of any breach and the impact this would have on trust in their organisation. They also need clarity about the investment required (now and ongoing) to achieve an appropriate level of cyber security for their organisation. The strategy identifies a number of potential levers that can be used to support this work, including the EU General Data Protection Regulation (GDPR) 3, other regulatory action, and pressure from insurers and investors. Regulation, and ensuring compliance will clearly be important. However, influencing the behaviour of investors to apply pressure on boards is potentially a more powerful driver of action. As cyber risks to organisations become more apparent, they may look to insure themselves against losses. However, premiums are likely to rise significantly, as the insurance market matures and responds to continuing poor cyber security controls and hygiene. In some cases, businesses may be unable to gain any form of insurance cover through which to recover losses resulting from a digital incident. This will be a key driver in galvanising investors to exert pressure and encourage businesses to change the way they perceive cyber risks and improve their cyber security. 1. UK Cyber Security Strategy Annual Report, April 2016. 2. House of Commons Protection of Personal Data Online, June 2016 3. PA Consulting http://bit.ly/2fvagrk
4 SECURING THE UK S DIGITAL PROSPERITY Driving collective innovation The cyber threat is changing constantly, with new attack vectors and vulnerabilities being exploited every day. The strategy underlines that it is vital that UK plc focuses on innovation to stay ahead of the evolving threat. There are already a number of cyber- focused innovation clusters and government initiatives helping to foster UK innovation and to build future cyber skills. In addition, the government is also providing funding to support cyberrelated start-ups. This is providing helpful top-down direction, but a bottom-up demand from individuals and businesses to drive investment in new solutions which address their needs will be equally important in sustaining innovation. Businesses should develop a deep understanding of the threats and an ability to respond flexibly to them through the right combination of innovative technology, process and people. Individuals need to be informed about the cyber dangers they face in a way they understand. They also require assurance that cost-effective defences are being developed for the services they use, such as third-party payment systems for online shopping. These defences should be applied both to existing solutions as well as being built into new products and services by default. Solutions also need to be developed and be adopted in an agile way to drive demand and address evolving threats - acknowledging that as the threat changes so should our response. Making a compelling case to enable this to happen will mean tailoring the message to make it relevant to different stakeholders within industry and the general public.
SECURING THE UK S DIGITAL PROSPERITY 5 Embedding cultural change Moving forward People can be the weakest link in cyber security, but if they are educated and informed properly, they can also be the strongest defence. It is in the national interest for the public to care about cyber security in the same way they care about environmental impact or health and safety. That means creating a culture of cyber security and providing simple and effective ways to respond to individual concerns, as well as helping them to protect themselves. These cyber defence actions should be embedded in daily behaviour in the same way that wearing bicycle helmets and seatbelts, or not drink driving, have become the subconscious norm. Examples already include users upgrading to the very latest versions of software on a routine basis following an automated prompt to do so and using two factor authentication for some services such as online banking. If this work is successful in raising public awareness of cyber risks, then this will put further pressure on the leadership of companies and organisations to make cyber security a priority at every level. There then needs to be a straightforward way for companies to respond to individual demands for proof of their cyber credentials and demonstrate trust. This could be common certification or badging through something like a Cyber Essentials Standard, which could then become accepted and understood in the same way as safety kitemarks. The NCSS is a promising strategy which is honest about the challenges facing the UK and is ambitious about tackling them. Ultimately its success will depend upon innovative implementation. The experience of the previous strategy shows that this requires an approach that supports rapid action on a broad scale. In particular, it must focus on how to motivate all those involved to drive timely and effective action. To achieve this will require a coherence between top-down Government action and bottom-up demand from industry, investors and the wider public to drive innovation that keeps pace with the changing threats. The cyber security risks are clear and the consequences of not managing them effectively are far reaching for us all. However, there is now a real opportunity to work together and take the action that will achieve the strategy s vision of making the UK secure and resilient to cyber threats, and prosperous and confident in the digital world. For more information contact digitaltrust@paconsulting.com
We Make the Difference An independent firm of over 2,600 people, we operate globally from offices across the Americas, Europe, the Nordics, the Gulf and Asia Pacific. We are experts in consumer and manufacturing, defence and security, energy and utilities, financial services, government, healthcare, life sciences, and transport, travel and logistics. Our deep industry knowledge together with skills in management consulting, technology and innovation allows us to challenge conventional thinking and deliver exceptional results that have a lasting impact on businesses, governments and communities worldwide. Our clients choose us because we don t just believe in making a difference. We believe in making the difference. 19102 Corporate headquarters 123 Buckingham Palace Road London SW1W 9SR United Kingdom +44 20 7730 9000 paconsulting.com This document has been prepared by PA. The contents of this document do not constitute any form of commitment or recommendation on the part of PA at the date of their preparation. PA Knowledge Limited 2016. All rights reserved. No part of this documentation may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying or otherwise without the written permission of PA Consulting Group.