Speaking in the opening keynote session at CRESTCon & IISP Congress today Ian Levy, technical director, National Cyber Security Centre, said that there is a need in today’s cyber-landscape to stop issuing ‘bad advice’ about cyber-threats and defense, and instead take steps to empower people with relevant knowledge and tools.
“The reality is stuff we buy, stuff we build, is going to have vulnerabilities,” he explained. “Everything we have done in the past is about managing vulnerability and it’s now about managing harm.”
Levy explained that the key to tackling false perceptions around cyber-threats is by being more honest about what we are facing, and changing the way we advise users about what makes good security behavior. “A lot of the guidance we give is terrible”, he added.
From sensationalizing how cyber-criminals operate, to bombarding people with unrealistic password management direction, to telling people not to click ‘untrusted’ email links and attachments – a lot of the advice we have been giving users to date has not been conducive to good security, and instead leaves it shrouded in mystery.
Levy said it is now time to demystify cyber and “get people to do good security.”
He pointed to a series of schemes and initiatives that the NCSC is currently working on to aid companies with this, particularly a report which shines a light on how cyber-criminals actually operate in real life and a new authoritative recursive DNS service for the public sector which will be available over the coming months.
To conclude, Levy said that it’s imperative that cybersecurity risk is put into a context that people can understand and rationalize, with published data and evidence which can help them make better decisions about what effects their daily lives.
“Yes, there are nation states that are going to do scary, scary stuff – you’re not going to fix that,” he argued. “The majority of people in this country do not get targeted by nation states. The majority of people get harmed by cybercrime, by ransomware, let’s fix that. Let’s take away the crap so that skilled network defenders can work on the hard stuff.
“Go from fear,” he added, “to published evidence and analysis so people can understand what they are defending against, and we can do that at national scale.”