Cybersecurity as a collective issue: Bringing UK industry together

1. ‘First things first. Get the champagne.’ Winston Churchill, 1931, New York.

Recently, eSentire and our partner, Sumo Logic, hosted a group of influencers and IT decision-makers at the Churchill War Rooms in London to talk about all things cybersecurity. This was an opportunity to listen to a keynote speaker, hear about evolving cyber trends and research, and participate in an interactive customer panel session on major themes affecting the industry. The event, held at an iconic venue, was attended by more than 50 participants from industries including financial services, media and publishing, travel, advisory services, and health research.

2. “Craft is common both to skill and deceit” – Winston Churchill, 1947, London

Mike StJohn-Green, an independent cybersecurity consultant who spent 39 years in government, delivered the keynote, focusing on the evolving nature of threats influenced by dramatic changes in technology and techniques attackers are using to exploit that technology. The idea of the security perimeter no longer holds water. As Mike commented, “we used to think we could create perfect static defences. Some still think we can”. He drew parallels between the modern requirement of cyberdefence and human health – we have to detect anomalous activity and invoke the immune-response system faster than the adversary can respond, in order to out-manoeuvre the adversary. He laid out the following recommendations for the industry at large.

• Our systems need to be designed to be resilient, defensible and observable
• We need to observe our own systems from the inside
• The better we know good behaviour, the easier it is to spot bad behaviour
• We need rapid responses to predictable scenarios
• We need to keep learning, to keep pace with the adversaries
• We need to share intelligence – but building the trust relationships is hard

3. “…it is better to be both right and consistent. But if you have to choose—you must choose to be right.” – Winston Churchill, 1952, London

Mark Sangster, eSentire’s VP and Industry Security Strategist, shared insights from the latest research on security evolution and maturity amid emerging technology adoption and evolving business needs (FutureWatch Report), the recent UK Threat Intelligence Spotlightbased on anonymised eSentire customer data, and primary research on Third Party and Supply Chain Risk. The empirical data complemented the anecdotal point of view expressed in the keynote, notably:

• Adversaries are moving beyond the opportunistic and transactional and are now targeting companies by name for the assets they hold, the people they employ, or the businesses they support through the supply chain
• Approximately forty percent (40%) of eSentire customers (small and medium businesses) in the UK experienced a security incident in 2018
• Almost half (44%) of companies were breached because of a third-party vendor.
• Increased cost and complexity was experienced by over fifty percent (52%) of those affected, along with operational disruption, financial losses and penalties, and reputational damage.
• Despite almost half of businesses experiencing a breach, only fifteen percent (15%) of their vendors reported those breaches, and almost seventy percent (70%) didn’t change policy.
• Businesses can do much to minimize their risks, from simple awareness training, to patches, to two factor authentication. However, the time to contain and respond to threats is a critical factor that goes well beyond financial penalties.
• There is no black box or product that can natively and exclusively solve the nature of modern cyber security threats. A holistic and modern approach that combines traditional and emerging technologies, such as machine learning techniques with in-house or external security expertise is needed.

eSentire was very honoured to have two customers (financial services and advisory services) join us on our panel to discuss a range of industry topics and questions from the audience. Some specific insights from the discussion I moderated are noted below:

• The breach impact criticality of reputational damage from a business and individual perspective was highlighted. Malware and ransomware remain major issues.
• While eSentire’s UK Threat Report highlights that UK employees are better at preventing phishing attacks than their global counterparts, this only offers a false sense of security – it depends on the type of business, who they are targeting, and who is being phished.
• There was consensus that outside of notable hyper-scale GDPR fines, GDPR is still in the transition phase (the notion of GDPR raised a shrug of the shoulders). The panel highlighted the different approach of regulators in the UK compared to the US, with the UK being more focused around compliance and outcomes.
• Both customer panel participants participate regular board reporting cadences where cybersecurity is a board issue. Regular education and demonstrating value in the investments they are making to protect their assets and people is key
• Educating executives through table-top exercises and simulations is a is a very useful exercise.

Collaboration between industry leaders from both the public and private sector is critical to addressing the problem of cyber threats and attacks and at eSentire, we support the efforts of the NCSC to help drive this. Events like this one provide a safe environment for these necessary discussions from which new solutions will grow and arise. We’re thankful to the individuals and businesses who participated, as well as our partner, Sumo Logic.