WIREDGOV

Ciaran Martin, CEO of the National Cyber Security Centre, speaking on 12 September at the CBI Cyber Conference

Good morning.

Thank you Matthew for that kind introduction.

It’s a pleasure to speak once again at the CBI annual cyber security conference.

It is also a crucial audience for the National Cyber Security Centre to try to reach.

So thank you for having me.

This event is testament to a real culture shift among businesses and business leaders about cyber security.

So too is the enthusiasm with which many businesses have taken to working with the NCSC.

There is clear evidence that business leaders have a heightened focus on cyber security and, of course, I welcome that.

At the same time, there is a clear and loud demand from business for clear and simple guidance on what has been all too often, damagingly characterised as a complex and technical subject.

I am here as part of an effort to meet that demand.

I am here, I hope, to help demystify a subject all too often shrouded in fear and opacity and jargon.

I am here to launch a taster of the sort of simple, useful but technically authoritative guidance we will be putting out to business, with your input, over the coming months and beyond.

The NCSC’s ethos is all about helping people understand the risks around cyber security.

Most of those risks can in our view be managed effectively if properly understood.

And board level leadership is vital to doing that.

My message today is aimed at board level and general corporate leadership, which is key to managing this crucial risk.

---

So what is new in this?

Well, there is one main takeaway from what I am saying this morning.

And that is that cyber risk is a business risk.

And it needs to be treated like one. That means you have to understand it.

For example, there is a lot more to the cyber security challenge facing the UK than just Russia – serious and sustained though that threat is.

There are other nation states attacking us too.

And large scale criminal cyber activity is, sadly, ubiquitous.

Russia’s elite hackers may target us, but customer data sets may be targeted by another country or criminals. Businesses need to understand that threat.

That’s why we – the NCSC – publish as much as we can about the threat, so you can make judgments about what matters most to your business.

Now we want to move on to the next level by helping you frame your defences in a way that is appropriate to the threat picture.

This means we need you to get a little bit more technical.

People at board level need to understand the basics – and I stress, basics - of cyber attacks, cyber risks and cyber defences.

That’s daunting, but it is doable.

It’s essential.

And today is a significant moment in our efforts to equip the UK’s major companies to do it.

The cost of cyber crime

Why does this matter?

Over the past two years, at the NCSC we have seen, among many other things:

• Attacks on online and physical retailers which resulted in the theft of millions of items of personal data;
• A major systemic attack on IT service providers – and through them, their clients;
• And attacks on the financial system as varied as SWIFT endpoints, ATM cash-outs and the disruption of services.

So we’ve seen a varied range of attacks, and a varied range of attackers.

According to IBM, the global average cost of a data breach was £3 million[1].

That includes:

• Actual money stolen;
• The cost of buying new IT equipment;
• Fines for breaching regulations;
• And the cost of lost productivity.

One estimate of the cost of WannaCry from the Centre for Strategic and International studies put the global cost of the attack at around $4 billion US in lost productivity.

Other indirect costs can range from a falling share price to a rise in insurance premiums.

Not to mention the hard-to-measure damage to reputation.

At the top end of the scale, one company affected by the so-called NotPetya attack last June had to install:

• 4,000 new servers;
• 45,000 new PCs;
• and 2,500 new applications.

They also had to put the brake on the critical systems that were infected.

The total cost to that company was estimated at £150 to £250 million.

This is evidence.

It is recorded, historical fact.

It is not speculation and it is not scare-mongering.

At the same time, it is just another set of business risks – the type your organisations just have to deal with. 

But we know that lots of ordinary businesses don’t have the right cyber security standards and practices.

Two in three FTSE 350 firms have never had any training to deal with a cyber incident[2]. Two-thirds don’t have specific information about the threat.

And one in ten boards have no plans to deal with one[3].

Building stronger defences through cyber literacy

So how do we crack this?

First, let’s look at why it’s like this.

The businesses in this room deal with challenges as complex, if not more complex, than cyber security.

Highly capable leaders successfully navigate highly complicated topics.

And yet, all too often in our conversations with business leaders about cyber security, the complexity of the subject is one of the most common misunderstandings we face.

In fact, there are three misconceptions we often come across.

The first: that ‘cyber is too complex so I won't understand it’.

The second: that ‘cyber is sophisticated so I can't do anything to stop it’.

And the third: that ‘cyber is targeted so I'm not at risk’.

None of these are really true and these misconceptions are damaging.

You can’t manage risk you don’t understand.

So we need to demystify the topic.

At board level, this means closing the knowledge gap between the board and the technical team.

That’s why it means board members becoming a little bit technical.

So that the people on the board and the people in IT can talk about the risks, and people on the board can ask challenging questions of their teams.

You don’t need to know everything.

Just enough to make your own defences stronger.

No-one in government is asking you to be able to take on the best hostile nation state on a good day on your own.

No-one in government is asking you to make cyber security your top priority.

Your core business is your top priority.

We do expect you, however, to be good enough at cyber security to take care of the things youcare about.

And that means you have to understand what they are, and what you can do to protect yourselves.

This means you need to be – at least a little bit – cyber literate.

Cyber literacy

This is hardly a revolutionary concept for the corporate sector.

It’s your area of expertise, not mine.

But I’m led to assume that to be a company director you are expected to be financially literate, and fluent in other areas too.

You need to be able to ask the right questions of the right executives in the company, and understand the answers so you can challenge them if they don’t sound right.

You need to do that in cyber security too.

This can be daunting. I have been through it myself.

Although I employ world class technologists – two of them on our top Management Board, I myself am, by background, a civil service generalist.

It’s even worse than it sounds. I am a history graduate.

So I have been on this journey myself since I joined GCHQ in 2013.

When I joined I was impressed to find that the UK was at the forefront in terms of government's giving advice to their businesses and citizens on cyber security.

World leading initiatives like the 10 steps to cyber security.

But back then, there was a sense that – providing companies got the governance right – normal market mechanisms would take care of most of the problem.

That fed a sense that senior executives didn’t need to understand any of the detail of how cyber attacks actually worked – and what could be done to protect against them.

They just needed to have good governance and hire some outside help to tell them the problem was fixed.

We now know that this hasn’t happened to the extent we hoped and expected.

Eventually we had the confidence to call that out.

Part of my own journey was realising that the strategy wasn’t working as well as we’d hoped.

And to get it right, we had to make interventions where the markets weren’t working.

To do that we had to understand the detail.

Why is spoofing rampant?

Why do otherwise good employees not follow password security?

Why do basic compromises happen to well-funded organisations?

We’ve started to answer these questions at national level.
And we have put in place a whole range of improvements since then.

We have implemented world leading measures to automate cyber defences.

Once, a phishing site hosted in the UK was up for more than a day on average.

Now, thanks to the NCSC’s work, it’s a couple of hours.

And there’s a lot more going on in that space, which is a story for another day.

---

But the story for today is to revisit the support we are giving companies to help them best protect themselves.

And we have done this by harnessing the world class expertise of my brilliant technical colleagues. And today we are launching advice to help you get a little bit technical.

When we look at some of the advice given around the world on how to manage corporate cyber security risk, it’s basically about governance.

Good governance is necessary. But it’s not sufficient.

Indeed one test we now apply to our guidance is whether – like so much other cyber security guidance across the world – you can substitute the phrase ‘pension liabilities’ or ‘health and safety’ for ‘cyber security’ and check if it still makes sense.

If it does, it’s inadequate.

If you look at some of the previous guidance it simply says - cyber security should be discussed at board level. It doesn’t say how, and that a plan should be in place

That’s what we are moving on from today.

So, over the past few months, we have been talking to businesses to work out where the gaps in their cyber security knowledge lie.

And over the next few months we will be rolling out a suite of guidance on cyber security for large corporate organisations.

As a taster today, we have identified five basic questions you can ask in discussions with your technical teams.

Crucially, we are also telling you what to look for in the response.

If the answer is: “We have hired X and bought Y to address the problem”, ask the question again.

You need to understand what is actually happening – not what activity has been bought.

The Board Guidance Toolkit

Let me run through briefly the five questions we are encouraging boards to ask as a taster.

All this information will be on our website and LinkedIn page, with more to come.

The first question to ask is: How do we defend our organisation against phishing attacks?

It’s often hard to spot a phishing email.

So you want to minimise the risk that hackers could trick your employees into installing malware or stealing money through a deceptive email.

To minimise the risk, there are three simple things you can do.

The first is to protect your email domain using a technique called DMARC.

This means bad actors can’t send an email pretending to be from say ‘cbi.org.uk’.

The second is to have your email server automatically mark all external emails as ‘external’.

That will help employees spot phishing emails where the sender is pretending to be a work colleague.

The third, is to give your staff a quick and easy way to report suspicious emails, so the IT team can look into them.

What you don’t want to do is expect your staff to identify and delete all phishing emails. This is an impossible request.

However, there are some signs that make them easier to spot.

Look out for poor logos, spelling mistakes, unnamed addressees, pressure tactics, and uncommon business practices.

But don’t punish people for opening dodgy emails.

No one will be able to spot all phishing emails.

Our own technical director, a world leading expert, has blogged about how he was very nearly fooled by a prankster.

So don’t expect your people to be able to do it.

Instead, focus on what you can do to mitigate it.

The second question is: What do we do to control the use of our privileged IT accounts? 

This is absolutely crucial.

If your systems administrator is using the same account to access the internet as to run the system, this is an extremely serious danger sign. An existential risk.

That’s because the systems administrator runs your network.

Compromise him or her, and the attacker owns your network.

And using the same account makes them more vulnerable.

So to combat this, ensure your admin doesn’t routinely browse the web or open emails when they’re using a highly privileged account.

For extra security, add a second security factor to admin accounts like a hardware token.

And give your employees the level of access they need to do their job – and nothing more.

The third question is: How do we ensure that our software and devices are up to date?

All modern software needs regular updates called ‘patches’ to stay secure.      

So you should have a patching policy that identifies three criteria:

One, what devices and software need patching.

Two, how urgently they need to be updated.

And three, when devices and software are no longer supported – and when they need to be replaced.

You should look to see whether your contracts with suppliers enable this.

And if they don’t, try to change it as quickly as possible.

The fourth question is: How do we ensure our partners and suppliers protect the information we share with them?

The reason to ask this is that when you allow partners access to your – or your customer's – data, you need to know that it’s going to stay safe.

You should plan the security of your systems and data with the assumption that your partners will be compromised.

With this in mind, build security into all agreements from the start and check and audit all the technical controls on your system.

And the final question is: What authentication methods are used to control access to systems and data?

Passwords are an easily-implemented, low-cost security measure.

And we’re stuck with them for the foreseeable future.

But as I’m sure you all know they can be hard to remember.

Passwords that must be remembered should be easy to remember.

A good rule of thumb is to make sure that somebody who knows you well, couldn't guess your password in 20 attempts.

If you need to use passwords, provide secure storage for your users.

However, passwords overall can be a relatively weak methods of authenticating users.

So your password policy should be complemented by other controls.

As we have said for a long time, the single most useful thing you can do to protect your employees’ accounts is to set them up with two-factor authentication.

That means that even if a criminal knows your password, they won't be able to easily access your accounts.

And that is all five of the basic questions to get corporate leaders started on these essential technical discussions.

---

Asking these questions, and understanding the answers, will help you protect your business.

But corporate leaders have to be prepared to stick at it to understand the answers.

One final message is don’t be afraid to ask other questions just because you think they’re too basic.

Nodding to avoid feeling foolish can sometimes be the most foolish thing to do.

---

To conclude, it’s important to keep this conversation between government and business going.

I’m really pleased that the next speaker is the Deputy Information Commissioner, a partner organisation with a crucial role to play in the age of GDPR.

And the Government has an ambitious agenda for the development of the UK digital sector, with cyber security a key part of that.

It’s led by the Department of Digital, Culture, Media and Sport.

As one positive step, I would invite you to get involved with the annual DCMS FTSE350 Cyber Governance Health Check, so we can measure the problem more accurately.

It’s being launched later this month.

Conclusion

We are rolling out more and more guidance based on your feedback.

All of it will be technically assured by world class experts.

And as we do this, we have a chance to make the cyber security partnership between government and industry the best in the world.

That works for us.

It means our experts can focus on the top end of the threat.

It should work for you.

If together we get it right, it equips you to make decisions that will boost your business in the digital age.

So it’s part of working together to help make the UK the safest place to live – and do business – online.

And that will help the UK excel in the global economy for years to come.

Thank you.

[1] Cost of a Data Breach 2018: Global Overview July 2018, Ponemon Institute, IBM

[2] FTSE 350 Cyber Governance Health Check 2017

[3] FTSE 350 Cyber Governance Health Check 2017