If current affairs including as they affect the security industry have altered as a result of Labour’s crushing election win in July, consider that PM Rishi Sunak could have chosen to stay in power and call an election for January 2025, writes Mark Rowe.
Labour’s (natural) euphoria around returning to office after 14 years has (also naturally) somewhat faded with reality – of chronic problems, not least a lack of money for the state to provide basic services, including the police. Still, purely because Labour has brought fresh ministers to Government departments, things that seemed stuck during the Sunak years got impetus – ‘buffer zones’ around abortion clinics in England and Wales (applied separately in Scotland too); the Terrorism (Protection of Premises) Bill brought before Parliament, with the prospect of Martyn’s Law, a legal requirement on hundreds of thousands of premises to take steps to counter terrorism, coming into force in 2027, the biggest change in security management since the Security Industry Authority (SIA) licensing regime.
In the summer, when asking security people what they regarded as the most important change that Labour was likely to bring, it was striking how varied were the answers: some said Martyn’s Law; some the proposed reforms to employment rights, for example around zero hours contracts (or at least those deemed ‘exploitative’, presumably for the proposed Fair Work Agency to define) as used in contract security and stewarding, and the services sector more generally; some, new laws proposed under the Conservatives around data protection, and cyber resilience. A Cyber Security and Resilience Bill is due to be published in 2025. The Department for Science, Innovation and Technology (DSIT) at work on the Bill acknowledges cyber attacks on the National Health Service, and ransomware attacks on the British Library and Royal Mail (as covered at Consec, the annual conference of the Association of Security Consultants). Transport, utilities and some digital services already count as critical national infrastructure, that European Union-era cyber regulations cover (Network and Information Systems, NIS for short). As a sign of how widespread critical services are, a dozen regulators look after the regulations as they apply to industry sectors.
Kevin Robertson, COO of Acumen Cyber, described the Bill as much-anticipated. As he pointed out, organisations would have to be held accountable; else it could be ‘just another toothless piece of legislation from the government that is designed to look like the country is making progress in cyber defences, but in reality does nothing to drive improvements’. On what’s proposed, he said: “By making it mandatory for organisations to report incidents and provide details on ransomware attacks, this is clearly designed to gather intelligence on threat groups so the government can conduct more takedowns and sanction more cyber criminals.
“In theory this is good, but it definitely won’t tackle the problem entirely. Firstly, organisations will still pay but they will choose not to disclose the payment out of fear of being condemned by the government. Secondly, as long as countries like Russia, North Korea and China continue to offer a safe haven to threat actors, no UK sanctions will ever have any real impact.
“The UK government is on a mission to deter organisations in the UK from paying ransom demands. This is clearly a key motivation with the new Bill, but much more still needs to be done. Organisations also need to be advised on security controls, insurers need to stop including ransomware cover in their cyber policies and the government needs to have agencies policing this new legislation to ensure it actually works and is followed.”
Meanwhile in the European Union, the European Council has signed off the Cyber Resilience Act that covers software in use in the EU, wherever it’s from. HackerOne, which offers ethical hackers to seek bugs in software, has described this Act as a game-changing regulation for software and connected product security. The Act requires software firms to have a policy on addressing vulnerabilities in their software, and act on it – for example by testing; and reporting ‘actively exploited’ vulnerabilities to the EU’s agency for cybersecurity, ENISA.
The tension in any cyber resilience law, and Martyn’s Law alike, will be that regulations can set a benchmark, that premises or computer networks have to comply with, or face punishment; yet the threats, whether real world or cyber, are unpredictable. Who is to say what goes through the mind of a terrorist or a hacker, to pick their target?
Financial services, and the account details of customers, may be an obvious target for cyber attackers who seek money. The phishing awareness training platform KnowBe4 recently pointed to ‘alarming’ trends in cyber threats against factories; hackers seeking log-ins and other credentials for email, social media and messaging accounts. Stu Sjouwerman, CEO of KnowBe4, said that manufacturing’s growing reliance on IT and OT (operational technology) systems, plus increasing globalisation of supply chains, has both increased manufacturing’s vulnerability and its attractiveness to threat actors. He said: “As we navigate these challenges, it is becoming clear that increasing awareness and providing robust training to recognise and prevent phishing and social engineering attempts is no longer just best practice – it is critical.” The platform argues that manufacturing has become increasingly attractive to cybercriminals in recent years due to its interconnected nature – relying heavily on various elements, from raw materials to transportation; its vulnerability – having a low tolerance for downtime, and intellectual property stored in its databases.
All this assumes that organisations have on tap all the expert labour they would want; except that IT people in general and cyber security people in particular, and especially experienced and qualified ones, are in chronically short supply. Chris Herbert, Chief Content Officer at tech firm Pluralsight has said that aspiring technology workers are focusing on learning AI skills in response to the dramatic increase in the use of AI (artificial intelligence). He said: “While AI skills will continue to remain crucial going forward, learners shouldn’t lose sight of how important fundamental skills, like software development and cyber security, still are. The UK faces ongoing productivity challenges, and aligning skill development with skills gaps in organisations will be vital to overcome it.”
The cyber security platform Check Point Software points to its 2024 Cloud Security Report: as cloud use grows, users are struggling to protect them due to a lack of cyber security expertise. More than half of security people surveyed rated their team’s capabilities as average or below. Most, 61 per cent of organisations experienced at least one security incident related to public cloud use in the past year, a rise from 24pc the previous year; most commonly a data breach. Most, 76pc of survey respondents reported a shortage of cyber security expertise within their organisations. Near half, 49pc of respondents indicated a need for their cyber security people to acquire new AI-related skills, while 35pc were concerned about the lack of knowledge hindering AI adoption.
