Who should take responsibility for the multi-million-pound problem (or lucrative market, depending on whose perspective you take) that is cybercrime? Governments are in a privileged position of having the influence, resources and partnerships needed to disseminate cybersecurity education and launch approaches nationwide – a position they should use to the advantage of businesses and consumers. But that advantage will only be won by those businesses that take a comprehensive, company-wide approach to cybersecurity, which involves everyone from C-level down to the most junior employees.
Governments take control
It was promising to see the announcement last week of the UK government’s partnership with tech firm Arm. The £36 million project will involve developing new chip technologies that are more resistant to cyber threats and marks the next phase of the government’s Digital Security by Design initiative. It’s hoped that the new solutions will help prevent hackers from remotely taking control of computer systems and mitigate cyber-attacks and data breaches.
Similar government proactivity includes the recent launch of an online cybersecurity course by the National Security Agency. The free tool is intended to educate business users and consumers in the US on cybersecurity operations, law and policy. 2019 also saw the opening of the $100 million Cyber Center for Innovation and Training in Georgia, which marked the single-largest investment in a cybersecurity facility by a state government.
Governments are throwing huge sums at strengthening national cybersecurity, and they’re quite right to do so. IoT cyberattacks alone cost the UK economy over £1 billion every year, while the US economy took a beating to the tune of (up to) $109 billion over a single year. That was back in 2016. Since then, we’ve seen hacking techniques evolve in sophistication, enterprise networks complexify, and threat landscapes grow as a result.
In a statement announcing the UK government/Arm tie-up, Business Secretary Andrea Leadsom commented on the importance of staying “ahead of the game and developing new technologies and methods to confront future threats” – an important piece of advice for businesses and governments everywhere, and one which we at SecureData have been shouting about for years.
The limits of internet regulation
However, policymakers and politicians can only do so much. When it comes to the borderless, global online ecosystem (and the clout of tech companies), implementing strict new regulations is far from straightforward. Take the failure (the most recent of many) of the UK government to introduce a nationwide age verification system for online pornography, a policy first proposed by the Conservatives half a decade ago.
Spending on cybersecurity is a wise investment – and great PR for the state – but government-backed initiatives will only deliver ROI if business IT users also get involved. A top-down approach is needed to educate and upskill, and change must be implemented within every hierarchy of a business. The C-suite must understand what their business has that attackers might want to steal, what it’s worth, how its loss would affect revenues and which attack paths criminals are most likely to follow.
This kind of threat intelligence requires education. The UK’s NCSC and EU’s ENISA offer recommendations, certification schemes, response coordination and so on, but government bodies should not be considered cybersecurity oracles. Their position as a single, neutral source of truth and knowledge is somewhat undermined by the influence they hold over geopolitical events. Just look at how Trump’s fear of Huawei, or the demonisation of Russia/Israel/China by other regions has impacted decision-making and nationally-issued cyber advice.
Time vs money?
Investment from on high is always welcome, but ultimately, it’s down to individual business leaders and IT heads to take control, and to consult those who will find the right-fit solution or approach for their organisation and its individual roadmap.
Deploying and adhering to cybersecurity policies, purchasing new solutions, training or hiring staff, managing threats, complying with regulations like GDPR: all of these things are essential but they all require investment. What they needn’t require though, are your team’s resources and time. Instead, businesses should look to a dedicated team of experienced and knowledgeable cyber experts, equipped with effective offensive tools and strategies, who understand the identity profiles of your enemies, and where the weak points lie in your tech stack.
This is what we’ve been doing for years, for companies all over the world. Which brings me to my final point: while the SecureData team is definitely a worldly, politicised and opinionated bunch, we remain a neutral and well-informed partner whose vested interest is securing your business.