It won’t have escaped the notice of many in the cyber security sector that the government isn’t doing all it should to protect the nation’s critical infrastructure.
In fact, according to the National Audit Office the government has made several critical missteps in its roll out of the National Cyber Security Programme.
The NAO commented the government’s strategy was a ‘complex challenge’ and one that the government itself doesn’t fully believe it can achieve.
It is reported as having low confidence in half of its strategic plans.
Considering that the methods used to ‘actively defend’ key targets are largely untested – because they’re still being developed – it’s easy to understand why.
At present 80% of its projects to defend critical facilities such as hospitals and power plants will be completed on time. But one must question the effectiveness of the completed work considering the government’s low confidence in its own plans.
Which leaves businesses – especially those offering critical or essential services – vulnerable and unsure of what to do.
The answer may be to turn to the private sector.
They’re called viruses for a reason
The parallels with computer viruses and those found in the living world are remarkably common.
Just as human body that isn’t well maintained or immunised against disease will be vulnerable to infection, the same can be said for a computer.
And – like viruses in humans – a computer viruses can cause utter havoc to its host before it is identified, quarantined and neutralised.
Sometimes the damage can be too severe to save the host and the computer ends up in computer heaven. Or the nearest skip.
Whereas a disease in humans can lead to loss of life, the loss of data can cripple businesses. Or worse, cripple systems.
This may not seem as bad as a human dying – especially considering some of the truly horrific diseases out there.
But when you consider what could happen if all the power stations stopped working.
Or emergency calls go unanswered because the phone networks have gone down.
Or Air Traffic Control goes dark.
It becomes abundantly clear how our way of life relies so heavily on the interconnectivity of computers and their continued, reliable performance.
The challenge for businesses is – as with individuals and their bodies – they don’t always know what’s best for their networks.
Computers without the latest system patches is much like a person not being vaccinated against Meningitis B. Everything is fine until they get the infection.
While protection against the infection exists, the host is totally vulnerable without it.
The reason why we immunise our children from a young age is to protect them against a range of potentially life-threatening diseases.
But the other reason is to contain an outbreak in the event of a non-immunised person contracting a disease.
The x-factor is knowing how infectious the disease is as this informs clinicians as to how many people needed to be vaccinated against it.
There was an outbreak of measles in the US recently – largely attributed to anti-vaccers not protecting themselves and their children. A new case was being reported daily with more cases in 2019 so far, than the whole of 2018.
Measles is so contagious that you have to surround one infected person with nine immunised people.
Then you get on to the nasty stuff. The eradication of smallpox was considered the greatest humanitarian achievement of the 20th Century. The problem now is that no one has a natural immunity.
If there was an outbreak you would need to surround 100 infected people with 100 million immunised people. The right disease in the wrong hands can cause untold carnage.
It’s no different with computers and computer networks.
A comparable instance was the massive cyber attack on Dyn in 2016. Hackers marshalled millions of unsecured devices to flood Dyn’s servers with so much traffic it brought down 65 major services including Visa, Netflix and Amazon.
It was disruption on a global scale, affecting millions of people and businesses.
The notion of herd immunisation (or community immunity) through adopting a universal approach to cyber security seems the most logical approach.
Under this blanket policy businesses – and the IT teams – agree to work to set minimum standard to ensure a consistent level of protection for all.
Applying the herd immunisation model – this may not protect everyone as immunisations and network security can fail, but it will protect the overwhelming majority.
The Cyber Essentials scheme launched in 2014 attempted to achieve that goal. However, many felt that the steps didn’t go far enough to ensure network security.
Nor is it a requirement – unless you want to be on the government supplier list or work with certain types of sensitive information.
That applies to very few of the 5.7 million small to medium businesses in the UK. Especially when you consider that 1.7 million of those businesses are one-man-bands.
But here in lies the problem…
Trying to apply a blanket cyber security policy on a national scale, let alone a global one, is nigh on impossible.
The fact that 1.7 million businesses could be little more than a person working out of their spare bedroom using a laptop. Their cyber security will be minimal, their router security factory standard.
Another big challenge is businesses using legacy systems because there is no modern alternative that can meet the needs of the business.
Or organisations so vast that individuals are using unsupported software entirely because the IT juggernaut has yet to churn its way down to them.
This is a major issue. Big organisations don’t necessarily equate to cutting edge technology. Any attempt to force blanket compliance would be met with staunch opposition from a cost perspective.
Even if the government did attempt to pass legislation forcing all businesses to operate to a minimum-security standard, it would likely put many SMEs out of business.
It would also create dangerous monopolies where IT and cyber security consultancies could essentially charge whatever they wanted to deploy it.
Similarly, software license subscriptions would become extortionate as the need for robust systems would skyrocket.
However not everything has to be expensive or require an external contractor. Businesses – regardless of size – can take steps in order to protect themselves against attack.
Organisations using legacy systems can benefit from herd immunisation. While the unsupported programme is a risk, you can protect everything surrounding it. Meaning that if that system was compromised you would only lose that one server, rather than your entire infrastructure.
By extension, the critical parts of your system that are legacy or otherwise can’t be patched should be monitored.
Again, for smaller organisations this may prove a challenge. But they are also less likely to have a complex IT infrastructure that needs it.
Additional layers of security can reduce risk to smaller operations. Virus protection and firewalls are common, but malware protection and bot scanners help to make your systems more secure.
But the problem remains that the lack of consistency can leave even the most security conscious business open to risk of attack. Simply because cyber attacks and viruses can come via external sources who can’t or won’t take their cyber security as seriously.
The other challenge is there are very few catch all solutions to cyber attacks.
A medical condition can be treated with a specific medication. Often the only thing that halts a cyber attack is that it’s taking longer than the hacker wants to break in. Rather than the system being un-hackable.
Given enough time every system can be overwhelmed. It’s whether or not the cost is worth the return.
Without comprehensive guidance as well as an increased base line security provided with new computers, it’s impossible to reach anything close to herd immunity.
However it may be the way to go.
If you’re looking to find leading cyber security talent, get in touch and we’ll be happy to support you.