Cyber security update February 2017

Policy developments:

• The House of Commons Public Accounts Committee published Protecting Information Across Government, calling for the Government to improve its leadership on cyber security matters. According to the report the Government needs to address inconsistent data breach recording processes across departments and set out a detailed plan for the new National Cyber Security Centre (NCSC). This should explain who it will support, the assistance it will provide and how it will communicate with organisations needing its assistance.
• The NCSC was officially opened by Her Majesty the Queen this month; the launch was accompanied by a new report providing a “snapshot of the past, present and future of cyber security”. The purpose of the NCSC is “to reduce the cyber security risk to the UK by improving its cyber security and cyber resilience”.
• The US Cyber Threat Alliance announced the appointment its first president and its formal incorporation as a not-for-profit entity, together with the addition of Check Point and Cisco as new alliance founding Members. The CTA’s purpose is “to share threat information in order to improve defences against cyber adversaries across member organizations and protect customers; to advance the cybersecurity of critical IT infrastructures; and to increase the security, availability, integrity and efficiency of information systems.” Also see coverage from Network World.
• International non-profit membership association (ISC)² predicted that  the world will face a shortfall of 1.8 million cybersecurity workers by 2022. Its findings show that 66% of UK companies do not have enough info security personnel to meet their security needs, impacting economic security. Also see coverage from the Telegraph.
• The Department for Culture, Media & Sport (DCMS) announced the Cyber Schools Programme. This will provide intensive cyber security training and mentoring for 14 to 18 year olds in extracurricular clubs as part of plans to address the risk of a future cyber security skills shortage (further detail here). The target is for at least 5,700 teenagers to be trained by 2021. The NCSC announced a boost to the CyberFirst scheme, which aims to “find, finesse and fast-track tomorrow’s online security experts about to start university or in their first year”. Up to 250 recruits will now be able to receive £4,000 student bursaries, paid work placements and employment on graduation after more than 20 companies pledged their support to the initiative.
• The Digital Catapult Centre announced that it has secured up to £1.1m DCMS funding to deliver Cyber 101, a business advice and mentoring programme to help new UK cyber security firms grow and succeed.
• BT launched a “Dragons Den” style competition to find innovative new ideas from SMEs aimed at protecting the UK’s critical infrastructure and keeping public sector and business data secure. The BT SME Award 2017: Securing the Nation will give SMEs the chance to showcase their new technology and product ideas within three categories: cyber security; data collection, mining and analytics; and digital innovation.
• Network World set out what to expect in terms of President Trump’s administration on cyber security: experts predict a push for increased cyber security spending in government, but also increased digital surveillance and encryption workarounds. It also predicted that 2017 is set to be the worst year ever for security with more high profile breaches likely to be detected or disclosed.

New advice & guidance:

• EdTech published an infographic illustrating how to coordinate a campus response to a cyber attack; responders have three priorities in the aftermath of an incident: containment, eradication and recovery.
• Out-Law offered advice on common vulnerabilities are and what good IT security looks like. Vulnerabilities can be categorised into three types: technical vulnerabilities, supply chain vulnerabilities and vulnerabilities relating to people, such as social engineering and insider threats. Organisations should not just focus on prevention; a good governance framework will address detection of and responses to cyber incidents.
• Ars Technica considered how use of cloud services impacts on disaster recovery planning, particularly in relation to loss of connectivity. Disaster recovery planning needs to include situations where no form of connectivity is available and backup plans need to be regularly tested to ensure their efficacy. One planning approach is to conduct a “fire drill” to find out the impact of a connectivity outage and which areas are most affected.
• The National Cyber Security Centre offered advice on cloud security myths; it suggests that well engineered software as a service (SaaS) is better for security than alternatives. Organisations should consider whether their IT security engineering team is going to be better or worse at security management for a major commodity product, offered as a service by the major vendor who developed it. More on cloud security from the NCSC here.
• Lots of advice from Network World this month: see 12 steps to small business security, 5 ways to spot a phishing email and the cyber insurance gotchas that organisations should be aware of.

Other cyber security news this month:

• Bloomberg reported that venture capital firms invested $3.1 billion in a record 279 cybersecurity startups in 2016, compared to $3.7 billion in 272 startups the year before and $833 million in 117 in 2010.
• Network World reported on Verizon’s 2017 Data Breach Digest which includes an Intenet of Things (IoT) botnet discovered on a university’s network amongst its case studies.
• Ars Technica reported on Microsoft’s decision to cancel February’s “patch Tuesday” update until its next update on 14th March. The update was delayed due to an unspecified last minute issue.