The UK will face its first major “category one” cyber-incident in the next few years, forcing organizations to up their game by focusing security efforts on risk management, according to the National Cyber Security Centre (NCSC).
Ian Levy, technical director at the newly created offshoot of spy agency GCHQ, told attendees at a Symantec conference late last week that the NCSC has already been called upon hundreds of times to deal with cyber-attacks.
In fact, in the year since it was created as part of the government’s National Cyber Security Strategy, the NCSC has dealt with 500 such incidents, including 470 at “category three” and 30 at “category two”.
As a rough idea of scale and impact, the WannaCry ransomware worm which ripped around the world in May was a category two. A category one incident apparently requires government to step in.
Such an incident would likely happen as a result of human error, and the only way to stop it happening “sometime in the next few years” is for public and private sector bodies to think about security less in product-centric terms and more about risk management, Levy said, according to the Guardian.
That means, for example, knowing what data you manage inside the organization, how it is secured and what the impact would be if it were compromised.
Levy urged IT leaders to stop blaming users for cybersecurity incidents, and instead be more mindful of the limitations of certain technology systems.
“Cybersecurity professionals have spent the last 25 years saying people are the weakest link. That’s stupid. They cannot possibly be the weakest link – they are the people that create the value at these organizations,” he’s reported as saying.
“What that tells me is that the systems we’ve built, as technical systems, are not built for people. Techies build systems for techies, they don’t build technical systems for normal people.”
Aside from WannaCry, which had a major impact on NHS IT systems and hit over 250,000 victims around the world, we've just seen an Equifax breach which compromised details on nearly half of all Americans and 400,000 Brits.
That incident appears to have been preventable after the firm seemed to reveal that it failed to patch a known vulnerability, allowing the attackers in.