UK cyber crisis calls for broader regulation in the face of economic gloom
Amid countless reports of data leaks, hacks, and fraud, the UK economy isn’t adapting to deal with the pace of cybercrime, as threat actors continue to perfect their insidious attacks.
As the wave of cyberattacks overwhelms organisations industry-wide, the crisis becomes an issue affecting not only businesses, but the daily lives of citizens, whose money, data, and access to essential services are at risk. The NCSC Annual Review 2022, emphasised the challenge faced by the UK economy, highlighting the prevalence of ransomware. 18 incidents this year have required a nationally coordinated response, including attacks on a supplier to NHS 111, and South Staffordshire Water, and official figures revealing a staggering 2.7m cyber-related fraud attacks.
Covid-19 brought about the rapid adoption of new technologies and a huge increase in staff connecting remotely. The increased interconnectivity of networks, systems, devices, and digital services has helped deliver undeniable benefits to the UK’s economy; however, these advances open the door to a greater risk of cyber threats, both deliberate, and accidental. We now rely on technology in every aspect of our lives, from government services to banking, education, health, power, and other utilities.
The Russia-Ukraine war will go down in history as the first true cyber war. And as we’ve seen in previous wars, during this conflict the pace of development in technology; and specifically in cyber weapons, will be significantly amplified. The fact that threat actors have regularly crossed the line in Russia (and other states) between working for national interest and working for cybercriminal groups, only adds to the certainty that newly developed weapons will be used outside of the conflict for cybercriminal activities, bringing the risk of systemic losses into stark focus. Organisations do not have long to assess and remediate.
Neil Hare-Brown, CEO, STORM Guidance
The probability of one or more major attacks against UK government and business is now a matter of when, not if, and the economic dependence on critical national infrastructure (CNI) raises the likelihood of a catastrophic impact.
Cyber perils now rank as the top corporate risk. So, what is the UK government doing to address this concern?
The 2022 National Cyber Strategy set out the government’s plan for resilience to cyberthreat and their approach for innovation and investment in the protection of citizens against crime, fraud, and state threats. The review found that although new regulation has had a positive impact on organisational cybersecurity, there were still very real concerns over gaps in national resilience. Expanding on this, it highlighted increasing levels of cybercrime and breaches affecting government, businesses, and individuals, as well as cyber-enabled crimes such as fraud. Attesting the escalation to legacy IT systems, supply chain vulnerabilities, and a shortage of cybersecurity professionals, the report claimed many businesses do not understand the cyber risks they face, the incentives to invest in cybersecurity, and the importance of reporting breaches.
The report presents a clear argument for more stringent, transparent, and broadly reaching regulation across all UK businesses. This article seeks to clarify plans for such new regulations forming the basis of the government’s 2022 National Cyber Strategy, to identify whether it meets the economic need for tighter controls cross-sector, or whether further intervention is still required.
Over the past 8 years, we have handled many hundreds of incidents, undertaken digital investigations, and performed cyber risk assessments.
We have found that the current cyber incident pandemic can be attributed to threat actors taking advantage of four key vulnerabilities:
Poorly written and vulnerable software, enabling attackers to exploit weak or unpatched systems.
Poorly configured systems where security mechanisms are not implemented to prevent unauthorised access.
Poorly trained staff who are easily deceived by attackers, using their victim’s access and/or implicit trustworthiness to commit fraud and steal data.
Lack of corporate governance and strategy on cyber risk (key review areas for effective cyber risk management include - responsibilities, asset awareness, IT budget, payment controls, IT staff count ratio, cyber skills and awareness, and technology versions)
The Cyber Security Incentives and Regulations Review 2022 outlined a number of grave organisational statistics that clearly verify the above observations. For example, 1.4 million UK businesses employ staff, yet many are not taking basic protective actions, with only 15% carrying out audits of their cybersecurity resilience, and only 14% training their staff on cybersecurity. The review went further, highlighting a reduction in the use of up-to-date malware protection at 83% of businesses, down from 88% in 2020, and only 35% using security monitoring tools, down from 40% in 2020. The Cyber Security Breaches Survey 2021, demonstrated concerns over a lack of corporate governance and strategy on cyber risk, with over a third of businesses (39%) having experienced breaches or attacks in the last 12 months. And yet even after the reality of a cyberattack, only 35% had taken action to improve their resilience to cyberattacks. Aggravatingly, only two-fifths (37%) of businesses reported breaches externally (e.g., to the public or law enforcement); a predominant cause of the destructive ‘black swan theory’. Validating this latter point, UK Cyber Survey research established just under half of businesses (48%) did not see cybersecurity as a priority or thought it unlikely they would be targeted.
The UK government has stated that it plans to “increase the reach and adoption of existing activities and guidance”, recognising that “engaging more of these businesses in getting basic protections in place is a key priority, as is moving other, more engaged firms, further along the journey to cyber resilience maturity”.
Does the 2022 National Cyber Strategy provide a solution?
As part of the government’s economic review of cybersecurity controls, they have set out their 2022 National Cyber Strategy, for the purposes of Regulation 2 of the UK Network and Information Systems (NIS) Regulations 2018.
Their aim is to be a leading responsible and democratic cyber power by 2030, with the following goals to become:
a more secure and resilient nation, better prepared for evolving threats and risks and using our cyber capabilities to protect citizens against crime, fraud, and state threats
an innovative, prosperous digital economy, with opportunity more evenly spread across the country and our diverse population
a ‘science and technology superpower’, securely harnessing transformative technologies in support of a greener, healthier society
a more influential and valued partner on the global stage, shaping the future frontiers of an open and stable international order while maintaining our freedom of action in cyberspace.
The review outlines their plan to build this resilience, insisting they will ‘scale up their work’ to make the internet safer, ‘build communities that can defend themselves’, ‘move from gathering to acting’ on evidence and data, and ‘set ambitions’ to make the government an example of best practice in cyber security. However, with the latest scandal over Liz Truss’s phone hack, and the Department for Education under crossfire for breaching 28m children’s personal data, some may argue that there is some way to go in the demonstration of positive leadership in cybersecurity best practice. In respect of organisational cybersecurity objectives, the strategy aims to “prevent and resist cyberattacks more effectively by improving the management of cyber risk within UK organisations, and providing greater protection to citizens”, but how do they intend to achieve this?
The government’s approach assumes that UK organisations have an obligation to manage their own cyber risk, however, it has stated that “stronger frameworks of accountability and good governance are needed at board level”, and that the government has a role to play in working with industry to reduce risk.
They plan to work with sole traders, small businesses, and organisations to manage their cyber risk, in view of protecting UK internet users. By 2025, the goal is to “make it more difficult to register websites for illegal purposes, increase the takedown and blocking of malicious content online, improve the recovery and return of stolen credentials, and enhance the security of UK telecommunications infrastructure”. Observing potential complications here, Neil Hare-Brown, CEO of STORM Guidance explains: “The challenge will be in re-directing a decades-long, some would say ‘headlong’ drive for expansion of low-cost internet services onto a path where cyber resilience is a critical consideration. Perhaps only regulation will have the ability to force such a fundamental shift, but few executives could honestly say that decisions to adopt new technologies generally favour security over utility, especially when the security option is often at a higher cost.”
The Network and Information Systems Regulations 2018 is perhaps the most encompassing legal measure to support industry-wide accountability, regulating the overall level of cyber security and physical resilience of systems that are critical for the provision of digital and essential services.
Providers of telecommunications, online marketplaces, search engines, cloud computing services, transport, energy, water, health, and digital infrastructure fall within the scope of NIS regulations, and following the review in May 2020, it was found that a significant threat to these sectors remained, and further intervention was needed. To drive this change, the review highlighted a need for clearer and more effective enforcement, refining the current provisions around notices, penalties, and thresholds. However, NIS Regulations do not apply to digital service providers that qualify as small or micro-enterprises, or to many industries critical to the UK's economic recovery and continued success.
Following the 2021 pre-consultation impact assessment on legislative proposals to improve the UK’s cyber resilience, the government established a NIS national strategy, which has been embedded within the 2022 National Cyber Strategy. Seven amendments were put forward in the January 2022 consultation, including “expanding the scope of ‘digital services’ to include ‘managed services’, and strengthening existing incident reporting duties. Operators of essential services and relevant digital service providers are required under NIS Regulations “to take appropriate and proportionate measures to ensure the security of the network and information systems used to provide their essential services”, and it seems most NIS competent authorities have chosen to use the Cyber Essentials framework. Cyber Essentials is now also widely adopted by organisations outside the NIS Regulations, especially those providing services to national and local government entities.
Although positive steps have been made, it seems that many UK businesses remain outside the scope of NIS regulations, with government intervention targeted towards key players rather than aimed at organisations across the whole economy. Another example is the Proposal for legislation to improve the UK’s cyber resilience, which again relates to organisations that provide important digital and essential services, essentially, all those who fall within the remit of NIS regulations. The consultation seeks to drive up levels of cyber resilience and pays particular focus to managed IT Service Providers, a concern shared by us at STORM Guidance, as outlined in our article that explores the need for regulating ITSPs as well as helping them to improve competence.
The Cyber Essentials Scheme
The 2022 cyber strategy claims to future support businesses with cyber resilience to ensure cyber security forms a part of their standard set of good business practices.
It focuses on enabling better governance procedures, intervening in the utilisation of incentives and regulation, and providing support across all four policy areas: Foundations, Capabilities, Market Incentives, and Responsibility. However, aside from this guidance, it seems the only provision for industry-wide cyber resilience is the encouragement to adopt risk management services developed by the government, namely, the Cyber Essentials Scheme, which they say they will mandate, “where circumstances warrant it”.
However, in June 2020, an evaluation of Cyber Essentials (CE) by Britain Thinks found the framework had room for improvement. And after the 2019 Cyber Security Incentives and Regulations Call for Evidence found the lack of a standardised definition of effective cyber risk management was a ‘moderate to severe barrier’ to organisational info security best practice, the Department for Digital, Culture, Media & Sport (DCMS) and the National Cyber Security Centre (NCSC) now seek to propose changes to the scheme. The review found several additional barriers to the adoption of the framework, including issues of accessibility due to the high cost of meeting the technical requirements of CE, and the technical aspect of the language and the controls themselves. Evidence also found there were concerns over CE being viewed as a compliance exercise failing to provide sufficient assurance that an organisation is effectively managing cyber risk, and that it is frequently viewed as unfit for purpose being too prescriptive and/or too basic, or too vague or demanding. And in our recent article, Risk Management Regulations Set to Hit the Cyber Market, we noted that CE is not designed to estimate exposure to attack in the way a risk-based assessment would. It aims to improve resilience simply through technical controls and is not sufficient in addressing points 3 and 4 of the ‘4 key vulnerabilities’ outlined at the start of this article. Furthermore, CE appears to be more of a data collection exercise when it should be focused on critical safeguards relating to people, process, technology, data, and vendor management which are key aspects of our risk assessments.
How does the NCSC plan to address the 4 key cyber vulnerabilities faced by UK businesses?
In our inquiries with the DCMS over how the government plans to address the key vulnerabilities observed at STORM, they outlined a range of guidance, however, this is mainly on a voluntary (rather than regulatory) basis and does not really align with the most critical issues.
On “poorly configured systems”, Cyber Essentials and other NCSC guidance (such as the Cyber Assessment Framework) sets out how organisations should prevent unauthorised access to their systems.
On staff training, the GDPR/Data Protection regulations include staff training as a way of implementing data protection policies and the NCSC offers a free online staff training course on cyber security.
On corporate governance, recognising that cybersecurity needs to be incorporated into strong corporate governance procedures, the government recently set out proposals to strengthen the way UK companies are audited. The Resilience Statement requires public and private companies with 750 employees or more, and an annual turnover of at least £750m to report challenges to cyber resilience, including their ability to manage cybersecurity threats and the risk of significant personal data breaches.
The DCMS response to the latter point indicates a heavy leaning towards the management of risk in large organisations.
This is surprising as significant research - much of which is commissioned by or acknowledged by the government - demonstrates the biggest cyber resilience problems lie with SMEs.
According to the government's Cyber Security Breach Survey 2022, 36% of micro firms, 48% of small firms, and 59% of medium firms identified breaches and attacks in the last 12 months. And in an article by Forbes, they outline how cyber threat is increasing against all businesses, but most predominantly SMEs, who suffer more frequent, targeted, and complex attacks. According to Accenture’s Cost of Cybercrime Study, 43% of cyberattacks are aimed at SMEs, and yet only 14% are prepared to defend themselves.
This matters to both national and local government, as both promote and operate procurement activities that rely on SME service providers, and so resilience in this sector is critical to the delivery of public services.
Although many large businesses suffer breaches, SMEs tend to be easier targets due to a lack of resources and security expertise. The concern for small businesses was noted in the earlier cited NCSC Annual Review 2022, which stated: “The most significant threat facing citizens and small businesses continued to be from cybercrime, such as phishing, while hacking of social media accounts remained an issue”. In an article by the Insurance Times, just 20% of UK SMEs have cyber insurance, and with an attack easily costing £200k, and 70% resulting in a data breach, thus falling foul of the Data Protection Act, it’s clear government intervention is needed. And yet, even given the stakes, tighter regulation is not set to improve the resilience of those businesses that are most at risk, and as it seems, most unaware of the wolf at their door.
What needs to happen to secure UK business resilience?
Neil Hare-Brown, founder and CEO of STORM Guidance, has worked in information risk and investigations for over 30 years and is a respected name within the cybersecurity space.
STORMs first-hand management of cyber incidents and the many decades of experience in cyber risk assessment, serves to inform a clear idea of what is needed to prepare UK government and business for further challenges in the fight against cybercrime. Neil outlines the crucial changes that are fundamental to economic resilience:
Explaining cyber risk to board-level executives needs to be frank and presented only in the form of business strategies; technical aspects must only concern management and staff involved in tactical and operational activities. Furthermore, regulation must compel board-level management to implement and measure cyber strategies. Boards may not welcome such regulation, but they will be thankful for it when their organisations are attacked.
Cyber risk assessment schemes proposed or supported by government must be revised to focus on risk. They must be optimised to expel noise and unnecessary data collection in favour of unambiguous and sector-specific assessments and recommendations.
There must be improvement in the communication of cyber risk from intelligence communities to assist in the understanding of forward threats. At present, there is still too much focus on information gathering and not enough on useful information dissemination, or practical guidance on what organisations can do to protect themselves. Some cold war horizon-scanning and guidance need to be applied to cyber before it’s too late.