The UK’s national cyber security agency aims to help organisations understand the need to act collaboratively and collectively against the cyber threat, urging them to raise the bar

UK organisations can learn from sport in how they prepare for and execute cyber defence programmes, according to the National Cyber Security Centre (NCSC).

“Most people enjoy some kind of sport and will understand how top athletes reach their goals, and I think we can learn a lot from them in terms of cyber defence,” said Jacqui Chard, deputy director, defence and national security at the NCSC.

“Cyber threat doesn’t respect borders, jurisdictions or organisational boundaries. It won’t wait for us while we set up policies, laws and international agreements, so we need to work with our friends and allies to get the best defence and response to the challenge, and make sure that none of us is the weak link,” she told the Security and Counter Terror Expo in London.

Applying the sport analogy, Chard said the NCSC is working to help create an ecosystem where grass-roots cyber flourishes, where people are engaged and choosing cyber security as a career.

“The NCSC has a number of initiatives in this area, including our Cyber First girls’ competition, now in its second year, with 4,500 girls entering already,” said Chard, adding that the ratio of men to women in the cyber security industry is currently 9:1.

The NCSC is also working with UK businesses to sponsor undergraduates and postgraduates, hold summer cyber schools and provide schemes and materials for schools to use.

In terms of selection and training, Chard said that just as in sport, work needs to be done at a national and international level to encourage a well-equipped, constantly learning workforce.

“This includes apprenticeships where individuals move between government and industry on placements, and schemes like the Ministry of Defence’s cyber reservist scheme and the NCSC’s Industry 100 scheme for professionals to work with the NCSC in operational and non-operational roles,” she said.

Chard said it is important to note that it is not only about subjects such as science, technology, engineering and maths (Stem), but also about socio-technical skills and the human factors relating to cyber security.

After selection and training, the NCSC is looking to provide support structures, just as any sports team would, she said. “Bringing together the knowledge and the support structures with technical equipment and engagement are needed to gain the best team performance.”

Although the NCSC is unique in that it is tracking more than 100 sophisticated threat actors and has some unique trade craft to bring to bear, Chard said there are many others who have a deeper understanding of the technologies that the world relies on and many have real-world experience of thousands of cyber attacks a day. “A number of incidents the NCSC handled in the past year were identified by industry before we had direct sight of them,” she said.

Just as athletes need to exercise and practise their skills, cyber defenders need to practise their defence tactics and team formations, said Chard. “The time to decide what to do in an incident is not at the time of the incident, and you would be amazed at how many organisations are doing that,” she said. “Too many organisations don’t have plans so that people know who to contact and how, if the network is down, for example.

“Exercising is also a basic military skill, and we should deploy this sport and military discipline in cyber space by working out what can go wrong and looking at what happens, to learn to improve our defence and response posture.

“We need to focus on the basics and get the cyber hygiene right, and develop a culture that leads to winning by motivating staff to want to improve and to identify and tackle mistakes and issues.”

All too often, business cultures hide bad news and look to apportion blame when things go wrong, said Chard. “Good cyber cultures focus on the overall business goals and the role of ICT to enable those goals through continuous improvement, and they have staff who understand what is bad cyber practice, such as connecting unmanaged devices to the network,” she said. “Getting rid of all this noise will help organisations concentrate on the really difficult problems.”

Staying with the team sport analogy, Chard said it is important for organisations to share cyber threat information and good practice between sectors. “During the Winter Olympics, we heard how our successful sliding teams were learning from British cycling’s investments in fabric technologies and increased performance through an accumulation of marginal gains, and this also applies to cyber security,” she said.

“The finance sector is learning from the military, and small businesses are learning from multimillion-pound organisations. We need to learn to listen to each other and not disregard things as not being context relevant.

Work to raise the bar

“We need to work to raise the bar together. The team should help those that are falling behind, and in this way our overall cyber security will improve if we all up our game.”

This should include suppliers patching all their systems and not shipping systems that are not locked down, and government departments updating their technologies to the most secure versions and following best practice, said Chard.

Just like sport, everyone needs to know the rules and play by those rules to remain effective, and that includes understanding and using the tools provided by new legislation such as the EU General Data Protection Regulation (GDPR) and Network and Information Systems (NIS) directive, she said.

“We need to lead from the top. No team is inspired by a coach or manager unless they demonstrate the appropriate behaviours. Senior people in organisations really need to understand risk and demonstrate the security culture that they are looking for in order to be safe.

“And then, when the worst happens, we need to tackle the issue together. We need to stop the harm, reduce the damage, recover the operation and avoid becoming a victim in the future. We need to build those relationships now – internationally, regionally, between industries and with the press so that we are ready when thing go wrong.”

In closing, Chard highlighted the growing number of resources available through the NCSC’s website to help organisations stay safe, including the NCSC’s weekly threat reports, Ten steps to cyber securityCyber security guide for small businessesSecurity guide for small charities, and 12 principles of supply chain security.

She urged UK organisations to demonstrate “strong leadership” in their communities, to avoid becoming a “weak link” in the supply chain, and to report all cyber crime to Action Fraud and organisational cyber attacks to the NCSC. “And if it all goes wrong, then get help and get it quickly,” she said. “Don’t delay, and don’t employ the companies selling snake oil who claim to be able to protect you from all known and unknown threats, because this is not possible.”

Source: Computer Weekly

7th March 2018