With cyber threats constantly evolving, the best defence is seen as developing innovative solutions that can work independently and protect against threats even during attacks. The government wants to ensure that every UK organisation is as cyber resilient as possible.
So says the UK Government on Data Privacy Day; as more and more systems are connected, whether in the home or businesses, there is a need for security that is secure by design. It’s launched up to £70m in funding for the Digital Security by Design challenge, delivered by UK Research and Innovation through the Industrial Strategy Challenge Fund, subject to business case approval and match funding from industry. And some £30.6m will go on the Ensuring the Security of Digital Technology at the Periphery programme also delivered by UK Research and Innovation through the Strategic Priorities Fund.
Business Secretary Greg Clark said: “This could be a real step-change in computer and online security, better protecting businesses, services and consumers from cyber-attacks resulting in benefits for consumers and the economy. With businesses having to invest more and more in tackling ever more complex cyber attacks, ‘designing in’ security measures into the hardware’s fabric will not only protect our businesses and consumers but ultimately cut the growing cybersecurity costs to businesses.
“This is our modern Industrial Strategy in action. Building on the UK’s heritage and strengths in computing and cyber security alongside the government and industry investing together to ensure the UK capitalises on its position to become a leader in the growing markets and technologies of tomorrow.
The Department for Digital, Culture, Media and Sport (DCMS) makes the point that nearly all UK businesses are reliant on digital technology and online services, yet more than 40% have experienced a cyber-security breach or attack in the last 12 months. Hackable home Wi-Fi routers can be used by attackers in botnets to attack major services and businesses. Moreover, consumers are often the worst affected by mass information leaks than the organisation that held their data. Businesses are having to spend increasing amounts on cyber security, up to 20 to 40 per cent of their IT spend in some cases.
The DCMS, with the National Cyber Security Centre (NCSC), has been carrying out a review in the security of internet-connected consumer products. DCMS published the Code of Practice for Consumer IoT Security in October.
Comments
Graeme Stewart, Director of Public Sector UK and Ireland at the cyber product company Fortinet said: “More public sector support for security by design is a welcome step. Our hope for this research is that it will lead to more hardware manufacturers incorporating security by design into their devices. It is putting in place simple steps which will force better consumer practices, and this will be more effective than a public education campaign. The companies which are already supporting this do not get the recognition they deserve.
“Smart products are the subject of much security concern at the moment, but we do not need to overcomplicate the conversation. IoT hygiene should be treated like good cybersecurity practices elsewhere. You need to be able to appropriately secure the device, based on the risks that device poses. For example, if it can access personally identifiable information, better security protocols need to be standard. Context is key. Finally, better security is not always about ensuring that devices run the right software. For example, certain medical devices cannot receive software updates, because they require Windows XP to function. In cases like this, you need to design security policies which work around this, through air gapping, network restrictions and more.”
Joseph Carson, Chief security scientist at cloud access product company Thycotic said that Greg Clark’s announcement and vision were far from reality when it comes to a strategy on reducing the risks from cyber attacks; however any investment to support cybersecurity research was welcome. “The announcement that the UK will become a leader in cybersecurity resulting from a small investment in research is highly unlikely as hardware and research alone is not going to solve cybersecurity threats.
“The solution to reducing cybersecurity threats is a balance between both technology and people. If we are really going to reduce the threats then it needs to start with an investment in education along with a strong investment in technology that is simple, easy to use and does not require highly skilled workforce to use it. The threats have moved away from traditional methods of attacking organisations and people are the target, Identity and Access Management [IAM] is the new frontier to protecting both people and sensitive access. If the UK is to become a leader as Mr. Clark announces, then the UK will have to invest in a strong digital identity where both consumers and organisations can both benefit from government investment similar to that which Estonia launched back in 2002. The UK will face short term challenges when attracting global talent especially with Brexit looming so the UK will need to invest heavily on educating the local workforce.”
