Safety is in numbers when it comes to creating robust security measures, but how do we shape solutions for the future?
It seems that not a week goes by without the media reporting on high profile attacks such as TalkTalk and high profile attackers like Anonymous. The increasing threats aren’t just newsworthy, they’re also very real.
Given this increase, it’s not surprising that the 2015 National Security Strategy reaffirmed cyber threats as one of the most significant risks to UK interests. This acknowledgement came with a significant investment promise of £1.9bn over five years to “support work to keep the UK protected from cyber security attacks.”
In defining the word ‘cyber’ the Oxford English Dictionary states:
“…relating to, or characteristic of the culture of computers, information technology, the internet and virtual reality”.
In some ways this definition isn’t helpful as it suggests that cyber security is the sole responsibility of information technology specialists, in reality it requires a whole-organisation approach to risk and its management, of which cyber risk is one consideration.
On the up side, highlighting the role of IT in this definition does mean a significant amount (£860m) of the government’s pledge will be put into education and research to provide knowledge and skills in cyber security for the future workforce. There is also the promise that research organisations will be established to gain a deeper understanding of the threats and increase capability to detect and defend against them.
The UK strategy aims to “tackle cybercrime and make the UK one of the most secure places in the world to do business in cyberspace.”
The Janet network is a major part of the UK's critical infrastructure and we recognise the part we play in helping our members secure their own cyberspace as well as protecting ours, thereby demonstrating the value of central and shared services for cyber security.
Our members will be at the heart of these programmes and the Janet network will enable this work, providing the means for collaboration and secure data sharing.
The Institute of Risk Management teamed up with BAE Systems to run a workshop looking at the perception of cyber risk across business. It was clear that information risk managers faced a number of common issues: getting their boards to engage in the cyber security agenda, users finding ways around controls and gaining support and funding for cyber security investment.
They identified the challenges of changing culture and the importance of education in guiding their employees to be more mindful of cyber security.
Although these companies were mostly in banking and retail, we hear the very same comments from our members in education and research. Our own issues of Distributed Denial of Service (DDoS) on the Janet network has given us the opportunity to talk to a significant number of our member organisations specifically about their needs for support with cyber security and the role they want their network provider to play.
Is there light at the end of the tunnel?
Implementing cyber security controls to protect systems seems obvious but can be expensive with return on investment being difficult to quantify. The threat landscape is increasing and, with it, the requirement for assurances that data is secure.
An organisation that practices good risk management not only protects its reputation, intellectual property and data, but it will also offer its customers a measure of assurance making them attractive to do business with.
What are we doing?
Our Computer Security Incident Response Team (CSIRT) see many types of attack on Janet daily and, in a constantly evolving world; we strive to develop our services so that they remain relevant and effective. The attack we faced on our own infrastructure in December 2015 marked a change in hackers tactics and we saw the need to accelerate our planned enhancements to mitigate security incidents on the Janet network.
Vulnerability management is an important tool in the defence of cyber-attacks as it gives visibility of where your systems may be providing a vulnerable target for attackers. To help, we have procured a vulnerability assessment service via a single supplier framework.
Web filtering is on the agenda of many organisations at the moment, not least as it is a useful tool to help meet the requirements of Prevent, which is one of the key priorities of the government – and aims to prevent vulnerable people from being drawn into extremism.
We can help to manage access to websites using configurable lists of blocked or permitted web addresses and there are a number of web filtering solutions available which can be tailored to align with organisational policies. To see more about how our web filtering solutions can help, take a look at this recent blog post from Jisc’s applied network services manager, Nelson Ody.
We’re planning a series of technical forums, which will give our community more opportunities to engage with us and network with each other around their needs in the fast moving area of cyber security.
In the defence against cyber-attacks we are collaborating with partners and colleagues within the sector and government. Take a look at our security strategy to see what we plan to do over the next three years in response to our members’ challenges.
Read further information and advice from Jisc on security services on our cyber security page.