It’s notable that hackers have had a reduced presence in the headlines of late and it finally appears that efforts to curb their activities via improved security solutions and better collaboration are paying off.At a recent technology forum in London, KPMG’s head of cyber futures, David Ferbrache, said:
“I’m not sure they are quite winning the war, curiously, I would have given you a different answer two years ago. The takedown operations by law enforcement in conjunction with tech firms, telecoms, financial services are getting better, faster and more disruptive in terms of some of the things that the dark web sites use for trading information.”
He added the UK’s National Cyber Security Centre was also doing a good job and that it was becoming increasingly difficult to hack modern systems.
"It's actually getting harder to break into well-configured systems than it used to be. I used to run the red team penetration testing for KPMG as well and our job was getting harder."
There have been a range of government-led advances, including:
In October 2018, the Secure by Design initiative was introduced by the government for Internet of Things devices, with manufacturers required to ensure these are resistant to cyber crime.
In October 2019, the government partnered with chipmaker Arm, investing £36 million into developing attack-resistant technology to lessen the risk of cyber attacks.
Also in October, the government backed the ‘Prosperity Partnership’ involving Toshiba Research Europe and the University of Bristol, along with GCHQ, to develop more resilient wireless networks to crackdown on financial extortion and terrorism.
This November, digital minister Matt Warman launched a call for evidence on improving cyber security across the economy, which aims to find out what barriers exist and how the government can ensure there is more effective cyber risk management.
Government agency, The National Cyber Security Centre (NCSC), recently announced it had defended the UK against more than 600 cyber attacks in the past year, bringing the total number to almost 1,800.
Oliver Dowden, the minister for the Cabinet Office, commented:
“We've made great progress on making the UK safer since launching our world-leading £1.9 billion cyber security strategy in 2015. Establishing the NCSC was a key part of this and has played a central role in tackling online threats posed by criminals, 'hacktivists' and hostile nation states…we are making the UK a more challenging place for our cyber adversaries to operate in."
Being more proactive is paying off and this can be seen in the NCSC’s ‘Active Cyber Defence’ programme, now in its second year. This includes a ‘Takedown Service’ to track down malicious sites, with notifications sent to the host to have them removed. The government wants to be on the front foot in terms of having the UK seen as a leader in providing solutions to counter cyber crime. In April, it produced the ‘Online Harms’ white paper, which outlines plans to boost internet safety, drive innovation and make businesses more responsible, in particular where children and other vulnerable groups are involved.
But, while there is some good news, there can be no room for complacency. For example, the Bank of England, PRA and FCA, together with HM Treasury recently conducted stress testing to see if financial services firms could withstand a severe cyber attack. The testing on 29 large firms sought to find out how effective the sector was at responding to such an attack and if trade body, UK Finance, could handle communications. It was found that while that at a strategic level there was effective co-ordination, this was not so at an operational level.
There was also inconsistency in the way firms handled decision making on areas like suspending services and because data was stored in different ways, this impacted on recovery. The exercise showed the sector is still at risk. What is more, many cyber criminals go unpunished. Action Fraud recently pointed out that the majority of cyber crime cases are concluded without a suspect being identified. It admitted 40% of calls were ended before being answered - unsurprising given that the average time to answer a call was 16 minutes and there are also problems with police resourcing and expertise.
Bullish words from the government aside, progress should certainly be welcomed, but few would dispute that cyber crime can ever be eliminated and there is clearly much work still to be done.
With cyber security still remaining high on the agenda, our white paper provides some suggestions for
the types of metrics that you may want to consider measuring as part of your cyber risk programme.