On 1 November the UK National Cyber Security Strategy 2016-2021 was launched by the Chancellor. It is a £1.9bn programme to make the UK ‘confident, capable and resilient in a fast-moving digital world’ and protect the UK economy and the privacy of its citizens against cyber attacks that are growing more frequent, sophisticated and damaging. It recognises this isn’t “just” an IT issue, people and process have key parts to play in being secure.
There are three objectives
DEFEND – to have the means to defend the UK against evolving cyber threats, to respond effectively to incidents, to ensure UK networks, data and systems are protected and resilient. Citizens, businesses and the public sector have the knowledge and ability to defend themselves.
DETER – to detect, understand, investigate and disrupt hostile action, pursuing and prosecuting offenders. With the option to take offensive action in cyberspace.
DEVELOP – support the innovative, growing cyber security industry, underpinned by world-leading scientific research and development.
The Government intends to intervene more actively and work with the ‘private and public sectors to ensure that individuals, businesses and organisations adopt the behaviours required to stay safe on the Internet’. It will develop and apply active cyber defence measures to significantly enhance the levels of cyber security across UK networks. This includes minimising the most common forms of phishing attacks, filtering known bad IP addresses, and actively blocking malicious online activity. It has created the National Cyber Security Centre (NCSC) to act as the authority on the UK’s cyber security environment, sharing knowledge, addressing systemic vulnerabilities and providing leadership on key national cyber security issues.
Businesses are responsible for taking ‘all reasonable steps to protect their personal data, and build resilience into the systems and structures on which they depend. Businesses and organisations must also understand that, if they are the victim of a cyber attack, they are liable for the consequences’.
The strategy says the majority of businesses are still not properly managing cyber risk. Nearly seven out of ten attacks involved viruses, spyware or malware that might have been prevented using the Government’s Cyber Essentials scheme.
The Government will work with organisations such as insurers, regulators and investors which can exert influence over businesses to ensure they manage cyber risk. They will also make sure the right regulatory framework in place to manage those cyber risks the market fails to address and improve cyber security. This includes the General Data Protection Regulation (GDPR) – a clear statement that companies need to make themselves compliant by May 2018 or run the risk of being fined.
The Government will take the lead in protecting the UK economy and the privacy of its citizens against cyber attacks. The NCSC will share knowledge about security best practice.
Businesses are responsible for taking all reasonable steps to protect their personal data, and build resilience into the systems and structures. If they are the victim of a cyber attack, they are liable for the consequences.
GDPR compliance will be mandatory. Brexit has no impact.
People, process and IT changes are required to improve security.
WADIFF Consulting helps companies manage all the security risks to a business – cyber, electronic and paper records, people, process, data protection legislation, physical access and business continuity. Get in touch for details about the practical ways we can help your business be more secure.
t: +44 (0)7941 188462