Cyber Rising: NCSC’s Cyber Security Survey Shows it is Not Just an Issue for the IT Department

As the UK’s National Cyber Security Center publishes its first “UK Cyber Security Survey”, Radar explores the number-one red button on the regulators’ agenda.

The UK’s National Cyber Security Center (NCSC) first UK Cyber Security Survey was released in April 2019. Shortly after, the Department for Digital, Culture, Media and Sport (DCMS) released its findings in the fourth annual Cyber Security Breaches Survey 2019. Cyber security is at the very top of the corporate agenda. But this isn’t just an issue for the IT department: the regulators are making cyber control their top priority for 2019.

NCSC UK Cyber Security Survey

The NCSC was launched in October 2016 as a go-tohub for business, government and financial services for all things cyber. Bringing together expertise from GCHQ, the Centre for Cyber Assessment and CERT-UK, NCSC provides practical guidance for firms, as well as incident response when things go wrong. In the first of its kind, the Cyber Security Survey provides insight into how the British public view and interact with cyber technologies; from social media to online banking.

Alongside the survey, NSCS unveiled a list of the most used and at risk passwords, revealing that the password “123456” has been found 23m times in recorded breaches. Other passwords reveal where people’s loyalties lie, with “liverpool” being most common among football-club related passwords, and “ashley” the most commonly used name.

Cyber breaches are becoming increasingly targeted and personalised. While mundane, cracking the code to a successful, strong, password could save businesses and individuals time and money.

DCMS Cyber Security Breaches Survey 2019

DCMS released its fourth annual Cyber Security Breaches Survey 2019 in April. The survey of 1,500 UK businesses revealed that, while corporate cyber attacks have fallen from 43% to 32%, those that suffered attempts were typically facing six attacks a year as they become more targeted and less technical. Other findings included:

• 78% of businesses place cybersecurity as “high priority” to senior management, from 74% in 2018.
• 33% of businesses now have a written cyber security policy.
• The most common attack identified was phishing, accounting for 80%, with 28% of those surveyed experiencing attacks where the perpetrator impersonated an organisation.
• Technical attacks, including viruses, spyware and malware, have dropped to 27%.

The survey further found that 98% of UK companies rely on online services to run their business effectively. This should come as no surprise in an era when colleagues communicate via IM, payments are made using phones and receipts are sent via email.

In a previous edition of Radar, we examined how software as a service (SaaS) is getting traction, particularly in the financial services sector. As companies move to premium, online software solutions, firms need to be even more vigilant. While online services may be common place, they may not always be safe. No one is immune to cyber breaches and the regulators are determined to ensure firms are doing all they can to reduce and mitigate damage.

Not just for the IT department

For many, cyber breaches are a problem for the IT department. You’d be hard pushed to find someone who hasn’t rolled their eyes at a “virus scan”, or an email promising that, if you click the link, you’ll receive lottery winnings from a far-flung country. Company policy tends to pass the burden of these instances to the IT department, but as cyber criminals develop more targeted attacks on individuals, the problem becomes everyone’s.

“As IT teams shore up their defences, attackers are choosing softer targets and preying on people instead. They recognise that humans are now the weakest link and increasingly the targets are directors and senior decision makers,” commented John Abbott, CEO of services provider, Priority, and founder of cybersecurity platform, ThreatAware. “As cybercrime becomes more complex, boards need to lead the fightback and work closely with IT teams and managers throughout the organisation to ensure they are in the best possible position to defeat these threats,” he added.

This hasn’t gone unnoticed by the regulators – especially given their own struggles with cyber breaches. In the UK, the FCA has tackled attempts by fraudsters to use FCA branding in phishing campaigns against the financial services sector – even they are not immune. But what do they expect from the industry?

A top priority for the regulators

Cyber is arguably the top priority for financial services regulators across the globe and for good reason: an effective cyber breach could have devastating implications for banks, customers and their money. Towards  the end of 2018, FCA executive director of supervision Megan Butler noted “the current threat level is remarkable. Cyberattacks are now sandwiched between ‘failure of climate-change mitigation’ and ‘large-scale, involuntary migration,’ on the World Economic Forum’s 2018 risk landscape”. Barely a day passes without news of a hacking scandal, concerns around the cyber security of big companies (or governments), or serious defects in policy or procedure.

The US Securities and Exchange Commission (SEC) has stated that it views cyber security as a “responsibility of every market participant”, with the expectation that “companies should consider cyber threats when implementing internal accounting controls.”

The FCA has gone as far as including cyber security as a key focus in its 2019 Business Plan. In a letter to the CEOs of wholesale brokerage firms in April, the FCA said it had “found serious deficiencies in resilience and readiness to combat cyber-crime”. It is against this backdrop that it has highlighted that it intends “to use regulatory tools to test the cyber capabilities of our high impact firms” over the course of 2019.

The FCA has identified “complex and aging IT systems” as a key contributor to harm for cyber security. In her 2018 speech, Butler noted that “nearly half of firms do not upgrade or retire old IT systems in time”, which leads to vulnerability across the industry. Firms should be investing in new tech, which has been calibrated to understand and align with the most current cyber protections. This echoes the FCA’s message across financial services: invest, explore, evolve.

In a bid to test cyber-strength, the FCA has carried out so-called “ethical hacking” of high-risk firms, to evaluate that they have effective systems in place. This will continue to be a focus in 2019, likely becoming part and parcel of firms’ security controls.

While cybercrime can, and does, occur on a highly technical level, the majority of victims targeted are individuals. The FCA recognises that it is not only systems that are vulnerable to attack but employees, “most cyber-attacks exploit people and/or processes by using social engineering: sending emails with tempting but malicious links or attachments etc.” As such, the FCA places an emphasis on ensuring that staff are adequately trained to spot potentially suspicious behaviour. Moreover, the regulator asks that a firm’s “culture” is adequately developed to properly protect the entity and to avoid cyber exploitation.

From a statutory standpoint, a cyber attack within the financial services industry would have significant implications for both consumers and the markets. Therefore, firms have a prima facie obligation to implement effective systems and controls in order to comply with the FCA’s overarching objectives: to protect consumers and enhance the integrity of the UK’s financial system.

Undoubtedly, the regulator’s expectations surrounding cyber security will only increase. The introduction of the Senior Managers and Certification Regime (SMCR) in the UK, though not directly prescriptive about cyber security, will mean that the FCA will want to see that firms have allocated cyber security to a relevant senior manager in their statement of responsibility (SoR).

Fail to plan – plan to fail

Fieldfisher’s Kuan Hon, a director in their cyber security team, perfectly summarised the key takeaways in her response to the cyber surveys:

“Over the next few years, organisations should prepare themselves for even more data privacy and cybersecurity laws on top of the GDPR, such as the NIS Directive, more regulatory guidance, more regulatory investigations and enforcement actions, more high-profile cyber security breaches and more court judgements. Compliance needs to be seen as an ongoing fixed business cost, but the benefits far outweigh the potential costs of business continuity disruption, regulatory fines, lawsuits and reputational damage.”

The financial services landscape is changing. Time and again the regulator has outlined its desire to see compliance within firms evolve at pace so they don’t get left behind or see widening gaps in their compliance regimes. It’s easier said than done. What started as the monitoring of ecomms channels has gradually shifted to a regulatory obligation to implement systems that capture, analyse and protect data: from emails to cyber currencies, from crypto to trade surveillance. IT departments still have a fundamental role to play in cyber security, but compliance teams should be thinking ahead to anticipate what the regulator will ask of them next.