Most organisations are not preparing ahead of time for cyber-security attacks, hampering efforts to respond and leading to worse outcomes.
That’s according to Paul Chichester, director of operations at the National Cyber Security Centre (NCSC). In an interview with SC Media UK, he said organisations need to recognise that it’s impossible to defend against every conceivable attack and therefore more effort should be put into preparing for various post-attack scenarios.
‘Chich’ as he is known to his colleagues (it’s even printed on his staff badge) is in charge of the NCSC’s incident response team which provides a range of services to organisations in the UK that have suffered IT security breaches.
Listen to the NCSC podcast: behind the scenes of an incident
"We are here to deal with the most severe incidents – that could include help and advice over the phone," he said. "Or we might deploy our team to the organisation where we will help them manage the incident on the ground. We might do some forensic work with them, and then depending on how long that incident is going on for, we might advise them to bring in a company that we verify under a scheme called the Cyber Incident Response scheme that the NCSC runs."
It’s really important that companies prepare – not just at a technical level. One of the really important things is that you conduct exercises at board level. –Paul 'Chich' Chichester, NCSC
He said the severity of incidents can vary widely and have included WannaCry, which resulted in thousands of NHS appointments being cancelled, and the attacks against British Airways and Ticketmaster which resulted in the compromise of personally identifiable information and the theft of hundreds of thousands of credit card records.
Despite the scale of the threat and the potential consequences, he says that the number of organisations without a post-incident strategy is staggering. "At the moment, it [failing to plan] is all too common. One of the things that we are really keen to be pushing is getting people to think about what they would do in an incident because, as our CEO Ciaran Martin says, it’s a matter of when, not if," he said.
The NCSC's high-profile offices in the Nova Building in Victoria, London (Pic: Julian Dodd/Haymarket)
The government’s Cyber Security Breaches Survey 2018 found that only 30 percent of businesses and 24 percent of charities have board members or trustees who are responsible for cyber-security, and a paltry 13 percent of businesses and eight percent of charities have cyber-security incident management processes in place.
Chich said that it’s not possible to block every attack so organisations need to ensure they have robust post-incident response plans in place. "A lot of organisations will have some sort of cyber-incident, and we think the really important part is how you respond," he said.
According to the NCSC’s recent annual report, it was called upon to respond to 557 incidents in the previous 12 months and roughly the same number in the year prior to that. That means in the two years since it began operating, it has helped around 1,100 organisations remediate, recover and rebuild following a major cyber-security incident.
All of these incidents have been rated between category two and four which means it had a serious impact on a medium or large size organisation, central government or an essential service, or affected a large part of the population or damaged the economy.
A category one incident – defined as "a cyber attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life" – has fortunately not occurred… yet.
So when he isn’t coordinating the response to incidents, he is admonishing organisations to conduct incident response exercises and involve as wide a range of staff as possible.
The cyber breaches survey, which covered 1,519 UK businesses and 569 registered charities, revealed that 20 percent of businesses and 38 percent of charities never update their senior managers on cyber-security issues and only 20 percent of businesses and 15 percent of charities have had any staff attend internal or external cyber-security training in the past 12 months.
"Cyber-security from an incident point of view will probably affect everybody in the company. So actually you want a strong comms narrative, you want your communications director involved. It might involve impact on staff so you want your HR director involved," he said. "Very often people think that incidents are just about the IT director, but actually it’s a much more cross-organisation issue, and that’s what we try to get companies to realise through doing exercises."
The way he views an organisation is "much more about how they respond to an incident rather than necessarily what they have done beforehand. It’s really important that companies prepare – not just at a technical level. One of the really important things is that you conduct exercises at board level."
Looking ahead to 2019, Chich urges organisations to focus on their operational resilience. He says that means focusing not just on protecting data, as important as that is, but also the operation of the business. Ransomware, delivered by highly targeted attacks, has been identified as a huge and growing threat by the NCSC and law enforcement agencies around the world.
Organisations should also concentrate on the security of their supply chains which places an increased burden on organisations to not only monitor the security of their suppliers but also be able to reassure their own customers about their security posture.
The NCSC’s mission statement says, "Our vision is to help make the UK the safest place to live and do business online." While it is working hard to make sure that happens, it is clear that it won’t stand a chance of achieving that without the assistance of the UK organisations who are on the frontline of the threat.