Cyber Security Model (CSM)
‘Not if but when’ – 2017 UK cyber security in focus
2017 is Ascentor’s thirteenth year in information risk management. Over the years we’ve helped public and private sector organisations address the challenging landscape of cyber security and information assurance. Each year brings different threats – those we already recognise evolve, others are completely new. At the same time the legislative horizon changes as new standards and regulations come into force.
We started 2017 by quoting a tweet from John Chambers, CEO of Cisco, that is as good as any in describing the challenges of the year ahead. “There are two types of organisation: those that have been hacked & those that don’t know they’ve been hacked.” So, it’s increasingly a case of ‘not if but when’ – and a lot of household-name organisations know how painful that felt last year.
But what does 2017 have in store? Some of the following are relevant to government and their suppliers – others to all organisations. As we don’t want to start the year as the purveyors of doom – we’ll start with some good news. There’s a new pot of money comingâ€¦
The new UK Cyber Security Strategy
The 17 largest UK Government departments recorded a combined 8,995 data breaches between 2014 and 2015 – clearly something had to change. On 1st November 2016, the Chancellor of the Exchequer launched the latest UK Cyber Security Strategy with £1.9bn to help the UK build stronger cyber defences and develop cyber skills.
The new strategy will see more government intervention with the private and public sectors to ensure that individuals, businesses and organisations adopt the behaviours required to stay safe on the Internet. But the investment comes with a warning – a regulatory framework may be introduced for those risks that fail to be addressed. We see this new tougher approach as a ‘New Sheriff in Town’ .
Our view is that the new strategy will bring increasing pressure on government supply chain companies to meet at least the Cyber Essentials standard of cyber security – and will drive companies and organisations to demonstrate their capabilities in this area to a recognised level. And if you work in the defence world, the next section will be particularly important this yearâ€¦
The Cyber Security Model (CSM)
It has taken longer than planned but finally, the roll out of the Cyber Security Model (CSM) is coming – and with it substantial change for suppliers as the MOD manages the risk to its information from supply chain companies.
We are now expecting the CSM to be rolled out to large suppliers from January 2017 – with a full launch by April. To be compliant with the requirements of the CSM, the MOD supply chain will need Cyber Essentials or Cyber Essentials Plusand have information security governance policies in place.
For defence suppliers, not having Cyber Essentials in 2017 could put future contracts at risk. That’s why we strongly recommend that defence industry companies prepare for CSM by gaining certification to Cyber Essentials in advance – so they are ready to respond to the new contract requirements. In our experience, the larger the business, the more complex and time consuming the process.
For full details about the CSM, read our article ‘In cyber security there is no front line’ – An update to the Cyber Security Model .
The vacuum in the risk assessment world following the demise of IS1 & 2
It has now been two years since HMG IA Standard Numbers 1 & 2 Information Risk Management were no longer supported by CESG. At the time our blog asked the question ‘The Demise of IS1 & 2 – Are Risk Assessments Really Worth the Effort?’ .
Our view was that doing a risk assessment remained a good thing as it sets out a valid business argument for spending time, effort and resources on implementing security measures to protect valued business assets. But, looking ahead at the time, we hoped that the demise of IS1 & 2 would not create a policy vacuum filled by ignorance and blind acceptance of unknown residual risks.
Fast forward to 2017 and there is still no standard risk assessment methodology within government departments. The plethora of different approaches means risks are not being standardised, so one department does not know how another is managing risks. We see the risk assessment vacuum as a potential door opener to malicious content – it may only be a matter of time until a major security incident falls through the void.
GDPR – it will happen, and it will cost
Brexit caused shockwaves across Europe in 2016 with organisations wondering what would happen to the incoming EU General Data Protection Regulation (GDPR). However, unlike the on-going uncertainty about many of the aspects of Brexit planning, the consensus emerged that GDPR compliance will happen.
For the details of the main aspects of GDPR, please see our article ‘Data Protection – your ‘need to know’ list is getting longer’ – one of our most read in 2016. With the need for compliance in mind, what does this mean for your organisation in 2017?
Bearing in mind the grave cost of non-compliance – organisations can be fined as much as 4% of a company’s global turnover – we predict the strong smell of coffee as organisations assess their policies and business processes and conduct data reviews. EU data will need to be separated from any in the rest of the world and organisations must invest in a comprehensive data security solution – as well as employee training, to ensure compliance to GDPR. Administration costs can only go in one direction.
Ransomware gets personal
No look ahead across 2017 would be complete without covering ransomware – something Ascentor did in three articles across 2016 . But, as we said in our introduction, some threats evolve – and ransomware is coming for your personal device and into your homes.
We tend to think of ransomware targeting the larger organisation – but the cyber criminal knows that the larger organisations are taking action. That leaves the individual – who may feel too insignificant to be worth bothering with. Not to the cyber criminal. We were surprised to discover that there was an attack on an individual every 10 seconds on average in 2016. We also noticed that research from TrendMicro identified a swing from PC to mobile attacks of 15% in 2016 calling mobile ransomware ‘the fast growing yet unknown threat’.
More and more people work from home and store company information on their personal devices (often without consent). With the growth of smart devices, will we start to be targeted across a range of connected objects in 2017? It might seem trivial if our smart TVs or home printers are held to ransom – but it could be just the tip of the iceberg.
Cyber insurance uptake to surge
In our 2016 predictions article we referred to ‘the year of the cyber insurer’. Our opinion was that as more and more attacks were successful and resulted inpunitive damages, insurance companies would build their customer base and risk analysis frameworks.
By November, a survey conducted at the 2016 Cyber Symposium showed that over 40% of insurers had grown their cyber book by over 50% in the last twelve months.Insurance provider CFC revealed that cyber claims amongst their customers had also increased by 78% from 2015 to 2016.
In 2017 we think this uptake will surge as cyber insurance increasingly becomes part of operational risk strategy in the ‘not if but when’ climate. With high-profile cyber-attacks such as those on TalkTalk at an all-time high, businesses have become increasingly aware of the need to manage the risk to their intangible assets and reputation. The incoming GDPR regulation, which will impose heavy fines on firms who fail to safeguard data appropriately, is another issue likely to increase the demand for cyber insurance this year.
If you’d like to find out more about cyber insurance, what it covers and how to buy it, our article ‘Cyber Insurance – can you ever be fully covered?’ will be of help.
The year of cyber security competitive advantage?
We find it unfortunate that cyber security and information assurance are all too often seen as compliance issues. The tougher stances from the new UK Cyber Security Strategy and GDPR will only reinforce this. At Ascentor, we have always focused on the business benefits that well-executed information risk management can bring. One of these can be competitive advantage.
As buyers focus more on cyber security, the ability to demonstrate not only compliance but going the extra mile may start to count for more. We are receiving more and more enquiries from companies aspiring to achieve more than simply Cyber Essentials. The list of companies aiming for ISO27001 and List X status is growing fast. Many of these companies are seeing such a step as a way of not only fortifying their businesses, but also making themselves more attractive to buyers.
We hope 2017 will be the year when buying and selling organisations start to turn up the heat on cyber security as a value added corporate characteristic.
All of the above comes in a climate of continuing cyber skills shortages – and yet, as we have suggested, particularly with the new UK Cyber Security Strategy and GDPR – regulation and fines loom. Therefore, in 2017 organisations may feel under even greater pressure to look externally for the skills and guidance they need to meet these standards – starting with Cyber Essentials as a minimum.
For further information
If you’d like to discuss how ourconsultants could advise on any aspect of Information Assurance and cyber security, please contact Dave James, MD at Ascentor.
Office: 01452 881712
Other posts you might like
For Further Information
If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.
Please use the contact details below - also found on our Contact Us page.