Seen by other countries as a model of its kind, the National Cyber Security Centre’s (NCSC’s) particular strength comes in fusing the cream of our national security capabilities with cutting-edge technical knowledge, and timely, tailored intelligence. So said Oliver Dowden, Minister for the Cabinet Office, in a speech at the NCSC’s Annual Review 2019 launch in London.
He said that success is measured in events that don’t happen – ‘the dog that didn’t bark; the crippling cyber attack that wasn’t; the public trust in our digital systems that wasn’t compromised – we are, demonstrably, heading in the right direction.’
He admitted: “Is there more to do? Always. Over a third of UK businesses suffered a cyber breach or attack in 2018. For this massively complex and evolving challenge there is no quick fix – we all need to step up, with the Government in the lead when a national response is appropriate.”
For the 49-page document visit https://www.ncsc.gov.uk/news/annual-review-2019.
Laurie Mercer, security engineer at HackerOne says that every organisation should have a vulnerability disclosure program – a formal process to accept vulnerability reports from external hackers. “A Vulnerability Disclosure Policy or Security@ email is the best way to ensure that anyone who sees a security loophole, has a way to raise the alarm. More and more Government agencies deliver services online. It is very easy to release code that can be hacked. The best way to prevent getting hacked is to get hacked by people you trust. That is why it is great to see that the NCSC is promoting the importance of Vulnerability Disclosure and alerting people to the process of vulnerability reporting. There are over 60 million people in the UK, and together we can create a safer digital Britain.”
The attacks documented are only a fraction of what consumers and businesses are actually facing, says Robert Ramsden-Board, VP of EMEA at Securonix. The reality is businesses and consumers should always be on guard for hacking attempts, he says. “Research has shown time and time again that humans are the weakest link in cybersecurity so more education around cybercrime for consumers and businesses is essential.”
Aurore Domange is director at Cyber Security Connect UK 2019, a forum for chief information security officers (CISOs), due to hold a conference in Monaco from November 13 to 15. She said: “The 2019 report highlights just how many attacks have been prevented or halted in their infancy thanks to the diligence of the NCSC and its innovative approaches to tackling cyber-crime.
“What the report also showcases, however, is the ongoing need for both businesses and the public to be vigilant in their everyday lives and it is down to CISOs to set the standard in doing this. The NCSC aims to make the UK amongst the safest places to live and work in the world, and it is our job as cybersecurity professionals to reinforce this.”
Jason Tooley, Chief Revenue Officer at authentication platform Veridium says: “Worryingly, the NCSC report discovered that only a third of British people know how to protect themselves from cyber breaches, highlighting the lack of public education with regards to security. Passwords are the weak link, and organisations must have an obligation to protect their customers and provide the safest methods of authentication.”
Jason continues: “Eliminating the password from user authentication is more easily achieved with the adoption of biometrics, as this negates the risk of phishing. Transitioning to a passwordless approach does not mean using a biometric in isolation, still using PINS or replaying passwords in the background, you need to remove passwords in their entirety across all factors of authentication.”
At the executive search firm Marlin Hawk, John-Claude Hesketh, Managing Partner says that while the NCSC’s report does a great job of informing how it protects UK citizens and SMEs, information for larger organisations feels lacking. “Most noticeable is that we still don’t seem to have a recognised professional body that accredits CISOs and other senior cyber security professionals, despite the NCSC saying last year that they were working on it. This makes hiring a tough task for boards, who may all have their own opinions on what a good cyber hire looks like.
“Relative to other business risks, cybersecurity is still an emerging threat. Due to its dynamic nature, boards often appoint CISOs for the here and now; focusing on somebody who can get the job done in the current climate, rather than looking for somebody with a more strategic, long-term vision. Whenever this cyber body appears, it must educate boards on the benefits of a strategic CISO, rather than somebody who’s job is solely reactive.
“With the private sector – including the growing cyber startup scene – continually innovating, the NCSC should look to collaborate with these businesses to ensure they are offering best-in-class training to cyber professionals, while setting a high bar for cyber security accreditation.”
Payment services
The review hailed Operation Haulster, which automatically flagged fraudulent intention against more than one million stolen credit cards, as a result protecting hundreds of thousands of people from financial loss.
Caroline Hermon, Head of Artificial Intelligence at SAS UK and Ireland, said: “The rapid expansion of payment services over the last few years has led to consumer demands for convenience and flexibility with new payment methods. Banks and other financial institutions are aware that they must meet these demands, but they are also aware that these new payment systems leave them open to new forms of fraud.
“The challenge therefore centres around how banks can adapt to these new types of fraud without damaging the customer experience through large numbers of false positives.
“Where payment fraud was historically driven by card cloning, it has since migrated to transactions where the card does not need to be present, such as online purchases. While it is true that this provides the customer with a more seamless experience, it also aids fraudsters by helping them access funds through illicit transactions and gives banks less time to detect fraudulent activity.
“To detect instances of payment fraud, organisations need to take an agile approach as there is little time for drawn-out checks. However, with up to 10% of rejected orders believed to be valid, they also need to ensure that their prevention systems avoid too many false positives.
“There are many actions that businesses can take to protect themselves from these security threats. For a start, moving from a rules-based to a machine learning analytics system will help to overcome the problem of false positives. These approaches are particularly useful to detect rare payment fraud events hidden in big data sets. Moreover, they reduce the false positive rate by learning customer behaviour over time so that normal behaviour for an individual does not raise alerts.
“Ultimately, payment fraud detection systems must be able to look at payment processes from end-to-end and also across channels. While it is important that banks keep up with consumer expectations to ensure a positive customer experience, they cannot lose track of the privacy and fraud implications that come with seamless payments.”
