Increasing threats are pushing government and industry to the limit
Cyber security remains one of the greatest challenges that the UK government, commerce and consumers face. It remains an attractive market for cyber criminals with multiple reports showing an increase in both the volume of attacks and the costs for remediating them. Symantec reported they estimate the cost of cyber crime to be around £4.6 billion to the UK economy. High profile cyber security breaches in 2018 on British Airways, Dixons Carphone and Butlins that resulted in the loss of customer data highlights the persistent threat.
In July 2018 the Office for National Statistics released estimates from the Crime Survey for England and Wales that shows out of a total of 10.5 million reported crimes, 1.23 million were computer misuse and over half of the 3.24 million fraud offences were thought to be cyber related. Even taking a conservative estimate, this would mean cyber crime accounts for about 27% of total offences in England and Wales, and that is not accounting for all those that go unreported.
The threat will increase in 2019 and whilst there have been improvements in cyber protection, more needs to be done. Government, industry and the buyers themselves must take action. Whilst the government should lead the way, all three stakeholder groups need to engage with each other. Greater coordination, collaboration through sharing information, increased investment to fuel implementation of more cyber security solutions and focus on education of employees and the wider UK public is required.
The UK government has provided a coordinated response to a challenging issue
The UK government National Cyber Security Strategy 2016-2021 outlines the national response. This includes the commitment to spend £1.9 billion on creating the vision, structures and national response capability to provide a secure and resilient digital environment.
From a regulation perspective, EU cyber legislation that has been adopted and implemented by the UK including GDPR and NIS directive have helped to encourage better implementation of cyber security across government, critical infrastructure and businesses through mandating certain levels of IT security protection and reporting of cyber incidents.
The structure of the UK cyber security market enables more collaboration between stakeholder groups
At the core of the cyber security response is the National Cyber Security Centre(NCSC). It acts as a bridge between industry, government and businesses. The NCSC reported that since they have been fully operational, they have dealt with over 1,200 cyber incidents and respond to around 10 major attempted cyber-attacks each week.
Despite this, the NCSC has not faced a cyber-attack that has fallen into Category One (National Emergency, loss of life or disruption of services) although the WannaCry attack and NHS disruption came close. In addition, it has been reported that around two thirds of critical infrastructure in the UK has had downtime in the last two years. It is estimated that around 35% of this was due to a cyber security incident. Most attacks are launched by hostile states. In October 2018 the head of the NCSC Ciaran Martin warned that there is ‘little doubt’ a major life-threatening cyber-attack on the UK will take place in the near future.
The UK Cyber Security Industry remains one of the most advanced and innovative in the world
A major strand of the government cyber strategy is to ensure a strong industrial base. The UK cyber industry is well developed and has created a number of world leading cyber security organisations. This has been done through leveraging the strong Defence and Security sector and the Advisory and Professional Services sector that have built cyber capability. The cyber accelerator that is delivered through the NCSC has provided government support to help cyber start ups develop and bring low cost cyber solutions to market.
The industry is made up of over 800 companies who provide the full spectrum of cyber security solutions. The UK is recognised for Cyber Professional Services, and unsurprisingly this makes up the largest part of cyber security revenue. This will be further driven by the growing cyber skills gap. It has been highlighted by a released report from the Joint Committee on the National Security Strategy stating that there were not enough people with the deep technical expertise required to protect the UK Critical Infrastructure. This needs to be urgently addressed. With a lack of expertise, organisations will continue look to cyber security providers to fill capability gaps.
From an investment perspective, following the global trend, the financial market has the highest cyber expenditure, followed by large commercial and industrial companies. Ports, water, rail and aviation are all industries that need further investment in cyber security. As these sectors continue to move towards more digital operating systems this will become even more critical.
The greatest growth over the next five years is expected to be in Identification, Authentication and Access Management and Threat Intelligence solutions as organisations implement strategies to better control network access and gain greater visibility on vulnerabilities across their digital operations.
While threats will continue to increase and further major attacks over the coming year are inevitable, the UK must build on existing cyber security policies and infrastructure to ensure that its digital architecture is as protected as it can be.