What does the launch of CERT-UK mean for UK businesses? writes EJ Hilbert, Head of Cyber Investigations at Kroll EMEA.
Having only moved to the UK in August 2013, when I heard of the launch of CERT-UK (Computer Emergency Response Team-UK) in March this year, I was at first surprised that a team like this did not already exist at a national level.
The launch of CERT-UK is an enormous step forward as it will not only deal with cybersecurity incidents of national significance but will also provide advice and alerts on cyber-threats to government, industry and academia. An overwhelming 93% of large corporations have suffered a breach over the past financial year alone, according to Minister Francis Maude, a shocking statistic. With some attacks costing upwards of half a million pounds for businesses, it is essential that they take cyber security seriously and follow in the footsteps of other countries in addressing this issue.
UK businesses are, on average, 3-5 years behind the US in terms of cyber threat awareness and understanding. Only 17% of UK business leaders see cyber security as a major priority, compared to 41% in the US, according to a recent study by BT. Centralised information sharing and security guidance at a national level is essential in helping to defend against cyber threats, a lesson that is only just being learned in the UK.
The US launched its CERT in 2003 with a mandate to respond to major incidents impacting national security, analyse threats and exchange critical information.
Some people might picture CERT as a group of cyber ninjas that will be deployed to companies in their hour of need to fix cyber related issues. That is not their role.
A CERT’s true role is the collection, analysis and dissemination of information done in such a way that it enhances the recipient’s security posture.
The CERT’s primary concern is critical infrastructure. For a single company or corporation, that concern may be manageable because it will be owned or operated by the business. In the case of a nation, particularly a highly privatized one like the UK, the critical infrastructure is owned and operated by hundreds if not thousands of different entities, so the role becomes exponentially harder because not everyone has the same understanding of the threats or the capabilities to address them.
The output from CERT is only as good as the information that goes in. If companies or the UK government are unwilling or unable to provide CERT with information about cyber threats and attacks, then CERT-UK will have little to no effect on the state of cyber security within UK businesses.
In some industries across the UK, CERT will be receiving data akin to trying to drink from a fire hose while in others, CERT will die of thirst as barely a trickle will be flowing.
What’s more, if CERT-UK is under-staffed or incapable of handling the volume of data that companies, government agencies and other CERTs are providing, they will again be ineffective.
What needs to occur is a firm commitment from both sides.
CERT needs to be very clear on what data companies and government are to share with them and thus what they will focus on for analysis and dissemination.
In response, companies need to commit to providing the specific information requested by CERT either by refining what they have or increasing capacity to collect sufficient data.
Similar to Kroll’s Cyber Intelligence Banking Alliance which collects and analyses data from hacking attempts against UK banks, other industry-specific data sets will be created and shared with CERT. This will allow CERT to create a clearer picture of the cyber threat landscape and advise on potential mitigation strategies.
CERT-UK has the potential to be the go-to location for information about all cyber threats, attacks and protection methodologies, but they can’t do it alone.
What does the launch of CERT-UK mean to UK businesses? It means the UK is in the race. It means that if businesses play their part, the UK will have an effective tool in mapping the cyber threat landscape, mitigating attacks and surviving cyber-based attacks.
