18.04.17
Cyber security is a strategic risk management issue
Source: PSE Apr/May 17
Alison Whitney, deputy director for digital government at the National Cyber Security Centre (NCSC), explains how the organisation will be working closely with the public sector to build a more safe and secure digital environment.
The NCSC was opened by Her Majesty The Queen in February with a clear aim: to make the UK the safest place to live and work online. Key to delivering this will be how we work with our fellow public sector organisations to help build cyber skills, develop innovative defences and assist in the management of online incidents.
The digital environment offers many exciting prospects for the public sector. It opens up new opportunities to deliver integrated services to our citizens through easy-to-use portals. But along with the opportunities come risks, which carry financial and reputational price tags.
Every organisation must have their own cyber security policy and be on the front foot in terms of preparedness. Cyber security is a strategic risk management issue, not an IT problem. Senior staff have a responsibility to think very seriously about the cyber security threats they face, their vulnerability to those threats and the potential impact to their business.
Clear lines of accountability
They must allocate responsibility for risk ownership and have clear lines of accountability in place. Risks need to be reviewed regularly: threats, business processes and technology may all change and assessments and mitigations must adapt accordingly. They should be reflected in an organisation’s security policy and senior managers must have confidence that it is understood and followed by their workforce.
But this article serves to shine a light on some of the work the NCSC is doing behind the scenes to help the public sector make the most of the digital age. Our Active Cyber Defence programme is intended to tackle, in a relatively automated way, a significant proportion of the cyber-attacks that hit the UK. We want to trial these techniques with public sector organisations.
It’s well known that the majority of successful cyber-attacks are not that sophisticated in technology or expertise. They are often low-cost and easy to deploy for the attacker, but can do serious damage to the victim. For the majority of attacks, email is the main attack path. It often relies on an abuse of the trust in the sender of the email by spoofing a well-known brand – such as a public sector body.
DMARC implementation
The previous advice of ‘don’t click on something sent by somebody you don’t trust’ has become obsolete, because the spoofs can be so professional they could even fool somebody who works at the organisation. We want to stop harmful messages being received in the first place – and we want to start by making public sector brands among the most trusted. Public sector organisations that implement Domain-based Message Authentication, Reporting & Conformance (DMARC) can help stop criminals spoofing emails. HMRC’s DMARC implementation will stop nearly half a billion spoof messages from ever being delivered to unsuspecting customers.
The NCSC has also partnered with UK SME Netcraft to look for phishing hosted in the UK, webinject malware hosted in the UK and phishing anywhere in the world that targets a UK government brand. When they find it, they ask the hosting provider to take down the offending site, reducing the number of phishing emails purporting to come from public sector departments.
Incidents will still happen. Organisations should know how they will respond, exercise their response processes and ensure they learn lessons for the future. If any public sector organisation feels they are the victim of a significant cyber security incident, the NCSC offers support 24 hours a day, seven days a week, 365 days a year.
But the public sector should not simply wait for an attack to happen. Public Sector organisations that adopt our protective Domain Name Service will be prevented from unknowingly accessing sites that are known to do harm. Working with the Government Digital Service, we have partnered with Nominet UK to build a Domain Name System service for the public sector that launches in April. It will protect their networks from attack and generate data to understand the state of public sector IT.
Our ‘Secure by Default Partnership Programme’ helps organisations trial adoption of new technologies they might otherwise not know about. We are looking to help a number of public sector organisations to adopt innovative technologies, learn from their experiences and share the results with the wider sector. Together, we can show that these new technologies can be adopted successfully throughout the public sector, for clear business benefits.
Close collaboration between the public and private sector is a key to success. Organisations can also apply for one of the 100 roles embedded inside the NCSC. Industry 100 invites organisations of all sizes to collaborate with the NCSC by embedding someone as an integree, bringing expertise together to help us all learn lessons, identify systematic vulnerabilities and reduce the future impact of cyber-attacks.
For the UK to maximise our fantastic digitalised opportunities, we need to recognise that they rely upon a secure digital space. The NCSC is doing everything it can to maintain confidence in our increasingly digitised economy, and we look forward to working closely with the public sector to build a more safe and secure digital environment.
To find out more about the NCSC’s incident management services, visit:
W: www.ncsc.gov.uk/incident-management
To learn more about Industry 100, visit:
W: www.ncsc.gov.uk/information/industry-100