Paul Chichester(PC), Director of Operations, NCSC was interviewed for and on behalf of Cardiff Business Club by Paul MacKenzie-Cummins (PMC), managing director at Clearly PR & Marketing Communications.
PMC: What is the role of the centre and why was it brought into being?
PC: The government was looking for something ‘transformative’ – something that would represent a step change in how the UK and the government itself were responding to the cyber security threat.
By bringing a number of disparate parts of the government machinery together into a new single centre, and giving businesses a single front door for advice and help, irrespective of whether they are a citizen or business.
PMC: Cyber crime cost UK businesses £11 billion in 2015, how has this changed over the last 5 years?
PC: Today we report cyber crime in the same was as we report any other crime. Five years ago it was still to some degree classed as being a niche crime – criminals very much saw it as a way of making relatively small amounts of money.
Now the challenge we face is the awareness that the global economy is built on technology and there are those whose actions are generating – in some case – tens and hundreds of millions of pounds via cyber space. It has moved up several gears, often characterised by groups that are organised on a grand scale in large syndicates.
PMC: Philip Hammond recently said that businesses need to “sharpen their approach” to cyber security. He also said that as many as 9 in 10 UK businesses lack “an incident management plan”, how serious do you think companies view the threat of cyber security?
PC: It is getting better, but as the Chancellor rightly said one of the things that businesses are lacking is that instant management plan. A lot of companies are trying to do the right thing and stop themselves from being attacked. But what they perhaps haven’t really done is plan for the worst case scenario – what would happen if tomorrow your systems have ransomware on them and they are all encrypted?
PMC: What more can be done to drive the message home?
PC: Increasingly, the change in the threat landscape is encouraging businesses to really think about what they are doing…businesses are facing situations where all their data has been encrypted and they will never get to back, which could even seen them going out of business.
You really do need to plan ahead and do back ups and really think about how you want to respond to that; you don’t want to think whether or not you will have to pay a ransom when you’re being asked to pay – you want to be able to make that callbeforean attack takes place.
PMC: Do you think people are enough aware of the threats posed?
PC: People, unwittingly, will do things that increase the vulnerability of their systems. So there is a balance with businesses in allowing their people to be agile and responsive while managing that risk and being conscious of not introducing weak links into the organisation.
User awareness and user education is something that we are actively encouraging. After all, it only takes one employee to click a link to facilitate a breach, so we each have a responsibility at a government, business and individual level.
PMC: We’re in an age where many business leaders are still trying to get to grips with social media, so shifting their focus to cyber security issues may seem a stretch for many. What do you say to small business leaders who think “it won’t happen to us”?
PC: The key is to overcome perception that cyber security is not some sort of dark nation state sort of thing that doesn’t have any impact on SMEs. Arguably it is as important if not more so for SMEs because through one single vulnerability then potentially those businesses could be left unable to service their customers and they could even risk losing their business altogether.
So cyber security for SMEs is absolutely critical, particularly in Wales [given the fact that 99.3% of all businesses in Wales are SMEs].
PMC: How many people are needed to meet the cyber skills demand?
PC: We are all aware that globally cyber skills are in high demand and this demand is projected to outstrip supply for years to come. But there is a positive to this.
When you look at some of the Cyber First work we are doing in the NCSC you will see that we are targeting future generations of cyber specialists from age 11 through to university via a range of initiatives, such as summer camps, competitions and bursaries for university students.
There is a wealth of potential talent out there and we’re harvesting that talent for future generations. This is a long ball game.
I am really optimistic about the future, providing we continue to invest and grow some of the schemes I have alluded to. Of course there is only so much government can do, business needs to step up too and invest in future talent.
PMC: What message do you want to get across to Welsh business leaders?
PC: It is important that business and individuals recognise that the NCSC is for the whole of the UK. We want to get Wales and Welsh business leaders interested in understanding more about what cyber mean for them – not just the threats, but also the huge opportunities for businesses here in Wales.
Cyber is not all about the dark side, for a lot of businesses trading online will be a huge advantage to them and building cyber security expertise will give the local economy a real boost if it can invest in this space.