The National Cyber Security Centre has said that cyber attacks have reached a “scale and boldness not seen before” – and can only be tackled by a collaborative effort between government, industry and law enforcement agencies.
In its 2016-17 report on cyber threats to UK businesses, the centre said it tackled 188 high-level attacks in the UK in the past three months.
It stressed that the government had a central role to play in ensuring cyber security across the UK, and that it was “committed to making the UK a secure and resilient digital nation”.
The report said: “A key aspect of this strategy is through robust engagement and an active partnership between government, industry and law enforcement to significantly enhance the levels of cyber security across UK networks.”
This includes work by government departments to promote device security, for instance on smart meters and Internet of Things-connected devices.
“Active cyber defence”: UK’s first National Cyber Security Centre chief sets out strategy
National Cyber Security Centre to publish rankings for departmental email security
Cyber Security Demystified: Your key cloud security questions answered
The document set out a new wave of cyber threats, including an increase in the use of extortion as attacks become “more aggressive and confrontational”, more large-scale attacks from IoT botnets and a growing use of mobile malware, such as malicious or fake apps and SMS phishing attacks.
However, the report said that the most impactful attacks in 2017 would be “directed at building blocks on which the Internet runs, rather than innovative technology”.
There will also be more targeted attacks on industrial connected devices, such as energy smart meters, networked security cameras and automation like connected indoor lighting.
“A stark example of this was seen in Finland in 2016, when denial of service conditions disabled residential automated heating systems in apartment blocks for more than a week,” the report said.
Organisations should also be prepared for attacks that tamper with data, rather than simply stealing or denying access to it, and for attribution of attacks to become more difficult as malware becomes more tailored to each victim.
The document says organisations must report attacks, promote awareness within teams, encourage stronger “cyber hygiene” and boost training for staff, and integrate their cyber security measures with risk management.
The NCSC has also worked with the Crown Commercial Service to add its weight to the second iteration of the procurement framework for cyber security services for public sector bodies.
The Cyber Security Services 2 framework, which went live on 13 March, offers a central route for the public sector to procure cyber services and will only list suppliers with current NCSC certification.
The CCS said this would increase “the technical and qualitative assurance attributed to the suppliers on Cyber Security Services 2”.
Suppliers can add services at any time during the life of the agreement – which is 12 months initially, with the option of extending this to 24 months – and a ‘once only’ process means they can reuse selection questionnaire responses when bidding for other public sector procurements.
The CCS has also simplified the bidding process to make it easier for these small companies to supply the government, and of the 121 suppliers listed, 71% are SMEs.
There are four lots in the framework: cyber consultancy for risk assessment, risk management, and audit and review; CHECK penetration testing – which identifies weaknesses in systems; incident response; and tailored assurance.
The launch of framework and the report coincide with national cyber security conference, CyberUK, which is being held in Liverpool this week.