In this month's newsletter, we outline how Connected Risk will transform Regulation
UK Government’s Cyber Security Strategy: A proactive defence?
04 November 2016 | Blog Post
We are living in the midst of a technology revolution. Technology has changed every aspect of our lives, from medicine to personal shopping. Yet this revolution has left both the economy and government dangerously dependent on the ethics and infrastructure of cyberspace. Insurers and corporate risk managers are also grappling to understand the consequences of this great technological disruption – and assessing the opportunities.
Within this cyberspace, modern hardware and software are more focused on the user’s convenience rather than security. This gap between convenience and security has allowed hostile states and hackers to exploit weaknesses and comes at the expense of consumers’ security as the Yahoo cyberattack showed. How can the Government, consumers, corporate risk managers and insurers chart a safe course through this hostile and uncharted digital environment whilst understanding their own exposures?
We all love our shiny new connected devices but loath the connected risks that go with them. Increasingly, there is disconnect between the products that insurers are prepared to underwrite and the needs of the insurance buying public. With this disconnect in mind, the UK Government this week launched its 2016-21 National Cyber Security Strategy (NCSS).
Building on the £860m invested in 2011-16, the strategy sees a further investment of £1.9 billion over the next five years. The linchpin of this strategy is the creation of a National Cyber Security Centre (NCSC) to act as the definitive authority on UK Cyber Security. The centre will act as a platform to develop cyber security partnerships between government, industry and the public to ensure the safety of the UK online.
The vision for 2021 as outlined by the Chancellor of the Exchequer comprises three objectives: defending against evolving cyber threats to UK Networks, data and systems, deterring all forms of aggression in cyberspace and develop the UK’s innovative cyber security industry and talent.
At the heart of the Government’s strategy is to broaden the concept of Active Cyber Defence (ACD), the principle of developing an understanding of the threats to a network and devising measures to proactively combat or defend against those threats. The Government believes that through its expertise, capabilities and influence the UK’s national cyber security will be more proactive than reactive in how it responds to cyber attacks.
The shift to proactive reflects an increasing concern in the rise of cyber related attacks at all levels from the hacking of the Democratic National Committee to the Talk Talk leaks. It was no surprise on the same day as the Government’s strategy was announced that the MI5 Director, Andrew Parker in a rare interview with The Guardian outlined the enduring threat to the UK from cyber attacks with an emphasis on the threat of Russia.
The concept of Active Cyber Defence (ACD) shouldn’t be confined to the Government. Individuals, business and insurers, in particular, should be far more proactive in trying to understand their potential exposures. If you are a business, do a proper due diligence on your supply chain and if you are a consumer you should do the same. Where is your individual counter party risk? You might think that you have taken all the appropriate safeguards but if you live in a connected household with multiple devices it could be that your spouse or young children could be the unwitting victims of a data breach that connects the household to the same risk.
Over the next five years and beyond, as technology rapidly progresses, we are becoming more dependent and connected to cyber threats than ever before. Therefore, as the Government has realised this means a greater understanding and awareness of the risks entailed with cyber and not just the benefits. Ultimately it comes down to people. The irony of the modern world is that as technology develops at a fast pace, people remain more or less the same – fallible and gullible. So when it comes to managing technology risk, remember it’s the people, stupid!