Cyber security is a key priority for this government and it’s something that businesses of all sizes need to consider and take extremely seriously if they are to fully benefit from being online. There are clear risks for those who don’t take the necessary steps to protect themselves from malicious cyber threats. These include obvious financial issues and the cost of fixing cyberattacks. But also there are reputational risks for a company that has been targeted.
Despite some encouraging signs that the issue is now being considered in more depth, there is still work to do. Statistics published this month from the Department for Digital, Culture, Media and Sport show that there has been a reduction in the percentage of businesses suffering a cyber breach or attack in the last year. The 2019 Cyber Security Breaches Survey showed that 32 per cent of businesses identified a cyberattack or breach in the last 12 months. That’s down from 43 per cent the previous year.
That represents a significant reduction and one that follows the introduction of tough new data laws under the Data Protection Act and the General Data Protection Regulations (GDPR). These are laws which I oversaw through Parliament and they include new requirements on organisations to keep personal data secure.
People are clearly listening and taking notice; 30 per cent of businesses and 36 per cent of charities have made changes to their cyber security policies and processes as a result of GDPR coming into force in May 2018.
The improvement is positive but again, in my view, it is still not enough. And for those business or charity leaders who have yet to take action, then one stat will certainly make them sit up and take notice – that of cost. Where a breach has resulted in a loss of data or assets, the average cost of a cyberattack has gone up by more than £1,000 since 2018 to £4,180.
Another area of concern is the supply chain. Our recent Cyber Health Check of leading UK companies showed that despite good progress, around three quarters of firms didn’t have a full grip on cyber risks throughout their supply chains. However, large companies are increasingly demanding good cyber security standards amongst their suppliers, meaning SMEs that don’t secure themselves adequately could start to face being ruled out of supply chains completely. That’s why I am urging business leaders to do more to protect themselves against cyber crime.
The good news is that we’re providing industry with a range of guidance and support through the National Cyber Security Centre. For example, the Small Business Guide offers practical advice to help firms protect themselves quickly and at low cost, whilst the Cyber Essentials scheme helps organisations protect against common internet threats and provides companies with a badge so they can demonstrate their commitment to cyber security.
Better training and getting the people with the right skills into cyber is also essential. Fewer than three in ten businesses and charities have trained staff to deal with cyber threats. In 2019, that’s just not good enough.
We know that tackling cyber threats is not always at the top of businesses and charities’ list of things to do, but with the rising costs of attacks, it’s not something organisations can choose to ignore any longer.
One area that is crucial is skills, and particularly inspiring the next generation of cyber security experts. Last year we launched our initial Cyber Security Skills Strategy and will be publishing a full strategy later this year. The strategy sets out clear objectives to build the UK’s cyber security capability. This includes appointing independent ambassadors to help promote the attractiveness and viability of a career in cyber security to a broader and more diverse range of people.
We will also launch a refreshed CyberFirst brand, which will bring greater coherence to the government’s offering on cyber security skills. It will commit to continued investment in the capability across all age groups to develop the UK’s next crop of cyber security professionals.
We are also putting up to £2.5m of National Cyber Security Programme investment into a new UK Cyber Security Council to help develop a skilled workforce and give talented youngsters a clear career pathway. Education is key here. Through the CyberFirst programme, the government is working with industry and education to improve cyber security and get more young people interested in taking up a career in the sector.
The Cyber Discovery initiative has already encouraged 46,000 14 to 18-year-olds to get on a path towards the profession. Over 1,800 students have attended free CyberFirst courses and nearly 12,000 girls have taken part in the CyberFirst Girls competition.
We’re also working closely with the National Cyber Security Centre to provide additional support to business and charities, such as the Cyber Security Small Business Guide and Small Charity Guide. But it’s not just the security of businesses that we need to protect. It’s important that all of our internet-connected devices in the home are as safe as possible. There are expected to be more than 420m internet-connected devices in use across the UK within the next three years and poorly secured devices such as virtual assistants, toys and smartwatches can leave people exposed to security issues and even large-scale cyberattacks.
That’s why, back in October, we launched our world leading Secure by Design code of practice for consumer products. The code will help ensure that products are secure from cyber threats at the design stage. It’s something that manufacturers need to think about right from the beginning. They can’t just see cyber security as something that can be bolted on as an afterthought.
HP Inc, Centrica Hive and Geo have already voluntarily signed up to the code and we want even more companies to pledge their support. The more companies that we get to take this work on, the more concerted effort there will be across the tech sector to protect devices. We will also soon be consulting on regulatory next steps to ensure that baseline security is built into these devices by design. This is an area that we have also covered with the launch of our Online Harms White Paper – setting out a clear direction to make the United Kingdom the safest place in the world to be online.
Creating a safe experience requires more than the use of new technology. It should be as easy as possible for designers of products, platforms and services to understand what’s expected of them and ensure that what they make are safe by design.
Cyber security cannot just be achieved in silos and independently. Through our National Cyber Security Strategy, the government is investing £1.9bn over five years. But it is by working with industry and academia that we will make our cyber capabilities stronger and ensure the UK is the most attractive place to do business digitally.