The opening of the National Cyber Security Centre (‘NCSC') will be seen by many businesses as a welcome simplification of the sometimes confusing array of bodies and accreditations they are presented with when seeking to prevent or respond to cyber-security threats.
Over the past two years, corporate Britain has become much more aware of the threat from cyber-crime. This is due, in part, to the escalation in targeted or behavioural attacks including whaling or spear-phishing, and also to the increasingly tangible damage to the reputation of companies such as TalkTalk, and the ensuing fines and loss of business.
In June, the National Crime Agency (‘NCA') highlighted a 22 percent year-on-year increase in reported cyber-crime against business, with a direct loss of £1bn. The true loss is far greater once loss of future revenue and reputational damage is factored in.
The danger of undetected threats
In fact, the greater risk remains undetected theft of capital or intellectual property (IP). An unnoticed breach can allow a threat actor to capture highly-sensitive commercial information over an extended period, typical targets being product designs, blueprints and new product development plans, and customer contract details.
Larger companies, which tend to have a lot of this intellectual capital, have become far more aware of the threat and how to protect themselves, adopting IT infrastructures, protocols and processes designed to limit risk. This has resulted in criminals and other threat actors looking for other weak access points - typically smaller companies with less sophisticated protection - particularly those interacting with larger companies with a lot of IP.
Suppliers are an ideal target, particularly where there is some degree of systems integration, common in markets such as the automotive sector. We are seeing large original equipment manufacturers (OEMs) increasingly push security standards down to the companies in their supply chains as a cost of winning work with them, although the extent of this is varied.
M&A processes lack adequate due diligence
Mergers & Acquisitions also create a good environment for the attacker, with opportunities existing both from the integration of the target's IT with that of the acquirer, and the increased potential for human error when employees are learning new systems, new reporting structures and potentially working with people they do not know well before security protocols have been learnt. Adoption of proper cyber-security diligence and integration within M&A remains worryingly lacking, despite the obvious risks.
Sharing intelligence: protecting against future breaches
As a single body that businesses can turn to both to understand and to address these risks, the NCSC could become a very important tool, in particular allowing for the first time the effective channelling of threat intelligence from Government and private sector agencies to businesses of all sizes, rather than just the largest or most sophisticated companies within manufacturing, technology and finance, as has largely been the case to date. Should the NCSC be able to work effectively as this conduit, perhaps UK businesses can start to build the ‘herd immunity' through best practice, which will be critical if we are to arrest the virulent growth of cyber-crime.
Contributed by Graham Carberry, partner, Livingstone