NCA report: cyber security industry response


Just before the weekend, the National Crime Agency (NCA) published the Cyber Crime Assessment 2016 report.

The NCA report confirms the accelerating pace of criminal cyber capability outpaces the UK’s collective response to cyber crime. So you might expect the NCA to outline where it has failed, and tell us what it’s doing to put things right. Instead, the NCA slaps itself on the back saying “Government, law enforcement and other bodies have increased efforts to tackle cyber crime.”

Business, on the other hand, gets something of a kicking. “Businesses firstly need to ensure that adequate cyber security is in place,” the report states, “but they also need to increase cyber resilience.”

The NCA report fails to criticise itself for cyber crime fighting failure

The NCA also complains that business is under-reporting cyber crime in the UK. “This shortfall in reporting hampers the ability of law enforcement to understand the operating methods of cyber criminals and most effectively respond to the threat,” the NCA says.

IT Security Thing agrees with much the NCA report says, such as business needs to view cyber crime as a board-level responsibility and not just a technical issue. However, the lack of reflective criticism of its own success in tackling cyber crime is another failure in and of itself.

Jamie Saunders, Director of the NCA National Cyber Crime Unit, says, “I hope that senior members of UK business, and not only those involved in the protection of their IT systems, take note of its contents and think seriously about ways that they can improve their defences and help law enforcement in the fight against cyber crime.”

Let’s hope that when the Government finally publishes its long awaited National Cyber Security Strategy, detailing how it will invest £1.9 billion in the fight against cyber crime over the next five years, business is given some practical help in doing that.

Business must get share of Government £1.9bn to fight cyber crime

In the meantime, let’s see how the IT security industry has reacted to the NCA report.

Luke Brown, a VP at Digital Guardian says, “for many years, the industry has faced a recruitment drought and individuals who meet the required training standards are hard to come by and highly sought after. In fact, the unemployment rate amongst information security professionals is effectively zero. The issue is that businesses can’t simply deploy security technologies and expect to be protected from every kind of attack, they need to work with security experts. The UK government’s plan to open a new National Cyber Security Centre is certainly a step in the right direction, but without more widespread investment to train more cyber security recruits, this war will continue to rage on.”

Ryan O’Leary, VP at the WhiteHat Security Threat Research Centre says, “it is a step in the right direction for the UK government to invest more money in cyber defence. In our experience, money is always better spent in the defence of an attack rather than in trying to find the culprit. Those who can pull off cyber attacks are prevalent on a global scale, as the NCA’s annual assessment has proved; if one individual or group were able to execute an attack, it is very likely many others could do the same. The issue is not the attacker – they are always going to exist – it’s the system that is susceptible to the attack. Fix the issue and your attacker problem goes away.”

Wieland Alge, VP at Barracuda Networks says, “the simple truth is that the digital transformation of crime is outpacing the digital transformation of companies and also the transformation of cyber defence. That said, modern cyber threats are no longer simple to defend against. The crucial change in recent years has been that cyber criminals are shifting towards more targeted scams and more advanced malware that cannot be detected by traditional scanners. What’s more, the increase in mobility and sheer volume of devices has exponentially increased the potential attack surface. We are in a kind of golden age for digital crime.”

Jonathan Martin, Anomali EMEA Operations Director says, “organisations must come to terms with the fact that cyber criminals are going to continue, and it’s the aggressor who decides the terms of engagement. But defence wins that game through a war of attrition, upping the costs and sophistication necessary to obtain the information by requiring the aggressor to squeeze through too many choke points. Large military organisations would never dream of going into battle without legions of highly trained, highly skilled troops – and we as defenders of the security realm need to take a similar view. Attacks nowadays can be over extremely quickly, so having highly trained security teams ready to go, with the necessary knowledge and the right tools to make the right decisions under stressful situations means that the impact of the attack can be greatly reduced.”

David Emm, Principal Security Researcher at Kaspersky Lab says, “from our own work, the types of targeted attacks we’ve uncovered demonstrate that cyber-gangs have access to a large pool of skill and resource, and this is continuing to grow on a daily basis. We now live in a connected world, so there are plenty of opportunities to steal sensitive information, which has effectively become a commodity. This underground market provides access to the skills and resources needed to carry out such attacks, as well as to various kinds of stolen data. The NCA’s findings are a warning to all organisations that it is simply no longer enough to protect the perimeter of a corporate network.”

Awareness is the first and best line of defence

Paul Simpson, Principal Consultant at Verizon RISK says, “awareness is the first and best line of defence against cyber-criminals. CIOs also need to stay in touch with the latest security threats, and share that knowledge throughout the organisation. My immediate advice to any company is to ensure that the security basics and procedures are already in place to help mitigate the impact of a future cyber-attack. Prevention is often better than cure and the effectiveness of implemented security and incident processes should be tested and measured for effectiveness. This can be done via a concentrated security approach.”

Paul Taylor, Partner and UK head of KPMG’s cyber security practice says, “collectively we all need to be more open and transparent in the reporting of cyber-crime, recognising that all of us face similar threats from ruthless, innovative and transnational criminal entrepreneurs. A new partnership is needed between Government and industry to take the offensive in disrupting the business models used by criminals, and both BT and KPMG are committed to playing our part in helping the National Cyber Security Centre and National Crime Agency succeed in this shared goal.”

Peter Cohen, Strategic Manager of Countercept says, “it is true that compliance does not equal security, but it does give organisations a baseline that is generally geared around mitigating low-level threats such as commodity malware or script kiddie activity – as such it can be considered a reasonable starting point (depending on the compliance framework). The real danger with compliance is that while its purpose is understood within security circles, executives often believe that compliance is security, however, when it comes to mitigating more capable threat actors, this simply is not the case.”

Troy Gill, Manager of Security Research at AppRiver says, “unless we’re talking about the board of a cyber security company or compliance agency, remaining secure and compliant is probably one tiny sliver of issues they deal with daily. If most boards knew what was at stake by remaining non compliant or negligent with their IT security, they would make it a priority. Unfortunately, most don’t realize this until it’s too late.”