The police-led national network of Cyber Resilience Centres was created by government to support SMEs, charities and public bodies. PublicTechnology meets leaders in London and Wales to find out more.
The quality of ‘resilience’ is evidenced by being “strong and not easily damaged by being hit”, according to Collins English Dictionary.
‘Being hit’ by cyberattacks is now near-enough an inevitability for businesses and public bodies. The extent to which they are ‘easily damaged’, however, need not be such a certainty.
The concept of ‘cyber resilience’ appears to have gained traction in IT security in recent years. Not least in the public sector, where the Government Cyber Security Strategy published last year contains 79 references to ‘resilience’ – including two within the first 25 words.
Another instance crop ups in the document’s headline ambition to make public bodies “resilient to known vulnerabilities and attack methods no later than 2030”.
A key strand of the plans to achieve this is the GovAssure initiative through which all departments will now be required to undergo annual independent cyber resilience audits. According to commercial documents, after the completion of these assessments, agencies “will receive a ‘get well’ report listing current vulnerabilities which will then allow it to spend its cyber budget more effectively and to mitigate specific risks quickly”.
To support such progress beyond the walls of Whitehall, in 2020 the Home Office launched a project to establish a network of nine cyber resilience centres (CRCs) across England and Wales. The role of the centres is to support SMEs, public sector organisations and charities to boost their cyber credentials by delivering assessments, skills training, on-demand support for members, and exercises designed to test resilience and response.
While operating as independent entities, the work of each of the centres is typically led by local policing entities, while also collaborating closely with academia, public sector, and business groups.
In partnership with 45 universities, the nine centres that form the network deliver the Cyber PATH programme, which aims to support the UK’s security talent pipeline by giving students gain hands-on experience of working in a commercial or public sector environment. Meanwhile organisations, particularly charities and SMEs, can benefit from expert services without a prohibitive price tag.
PublicTechnology caught up with the leaders of the CRCs for London and Wales which, between them, serve organisations across an area with a cumulative population of about 12 million people – and including two capital cities.
The interviews below have been condensed and edited.
The Cyber Resilience Centre for London
The CRC that serves the capital works with the London Mayor’s Office for Policing and Crime, the City of London Police and the Metropolitan Police Service. Its chief executive is Simon Newman, who previously worked for the centre’s predecessor – the London Digital Security Centre – and, before that, for the National Policing Improvement Agency and the Home Office.
PublicTechnology: Why has the concept of ‘cyber resilience’ become so prevalent in recent years, and what does it mean to you?
Simon Newman: Historically, government and others have talked about ‘cybersecurity’ – which is, for me, about the prevention side of things, and trying to protect organisations from falling victim to cyberattacks and breaches. ‘Cyber resilience’ is the next iteration of that, which – with the likelihood of becoming a victim being so high – is really about putting the things in place that help you recover as quickly as possible. So resilience is broader, and takes in more than security – it’s doing those things, but also putting things in place that will help you recover and get yourself back up and running ASAP, like having an incident response plan.
PT: Does that acceptance of the likelihood of being attacked represent a difficult shift in mindset – particularly for senior leaders?
SN: A lot of organisations we speak to still don’t see or understand the threat properly. You want to try and change their attitudes without scaring them, which I think is an important thing to do. We can struggle a little bit getting that message across, and it is quite hard; one of the challenges we have with cyber is that it’s a difficult thing to explain. And I think when you’re talking about the public sector, specifically – especially where you’ve got elected members and councillors – trying to convey the threat, how it manifests itself, and what it would mean for that organisation is a really difficult thing to do. And councillors generally aren’t particularly well versed in cyber, so we have had some challenges on that.
“What we want to see is a shift from the negative into the positive – with organisations that reward good cybersecurity behaviour, rather than discipline staff who click on emails accidentally.”Simon Newman, Cyber Resilience Centre for London
What are some of the ways that organisations can most effectively ensure they have a pervasive cyber culture?
SN: What we want to see is a shift from the negative into the positive, with organisations that reward good cybersecurity behaviour. So, if we think about phishing – which is still the most common and impactful type of cyberattack in the world – what we want to stop seeing are companies that threaten the sack or discipline staff who click on emails accidentally – it’s human nature and cybercriminals are getting far more effective at making it look more and more legitimate. What we want to see is people being rewarded for flagging up those types of emails; because, if something’s looking suspicious, the quicker that they’re able to flag that up, the less harm that is potentially done to the organisation.
The other thing which I think is a really important area is the culture around supply chains. The government’s latest cyber breaches survey reveals that only 13% of businesses actually look at the security of their immediate supply chain. But we’ve started to see some organisations, not necessarily stipulate a set of standards for suppliers, but actually work with those suppliers to see how they can reduce the risk together – owning the risk, as opposed to outsourcing. And that’s been a really good way forward, and I’d like to see that become more popular amongst other organisations – particularly in the public sector.
PT: Does London have endemic or specific cyber challenges?
SN: Yes, London’s a really interesting place for a couple of reasons. One is that it’s the home of the financial services industry in the UK and the global fintech industry, as well as having some pretty large businesses that have their global headquarters in the capital. But, while we’ve got that element, interestingly enough about 86% of businesses in London have fewer than nine staff. So, we are a micro-business and sole trader success story in many ways, and that creates very different challenges between those two contrasting areas.
What we’re trying to do in London within the CRC is probably a little different to the other centres. We’ve developed a new strategy, which has three core pillars. There’s the bit that we do around the businesses, the SMEs and the charities. Then we’ve got a really big focus on skills – because that, for us, is a really big, important area that needs to be plugged. And that’s an issue nationally as well, but certainly in London. And then there’s an intelligence piece, which means that we need to get a better understanding not just of the problem, but also about what works in terms of messaging. Because we’re really interested in targeting those micro-businesses and sole traders in particular, because we know they’re often left out, or don’t engage with government messaging, or police messaging around cyber – and clearly the impact of an attack on them can be pretty harsh.
The Cyber Resilience Centre for Wales
The CRC that works across Wales offers a range of support and strategy services, as well as helping to build skills. The centre offers a free core membership, through which organisations can access a dedicated expert consultation, as well as guidance resources and regular industry updates. Additional benefits and support can be unlocked by joining higher membership tiers, costing up to £500 a year.
The organisation is led by director Paul Peters – a detective superintendent with only 25 years of policing experience who has previously worked as senior investigation offer for a major crimes team dealing with murder and serious or complex cases. He was worked in cyber crime since the first such specialised police unit was created in South Wales almost a decade ago.
PublicTechnology: What does ‘cyber resilience’ mean to you?
Paul Peters: It’s around reducing your vulnerabilities. I don’t think you can ever say you’re completely secure, but the resilience piece is very much about improving your security. I spent five years heading up the regional cybercrime unit in southern Wales, and there were some complex attacks, but the vast majority of attacks are probably down to poor password hygiene, or not recognising phishing emails. So, for me, it’s very much about focusing on the really simple things that people can put in place to prevent themselves falling victim to cybercrime. And part of our message that is we’re talking about simple things, and common sense things – we’re not talking about technical things. When we’re dealing with high-street shops, sole traders, and small and micro businesses, we just want them to start the process – and they can do that by having strong passwords, and recognising phishing emails, and not becoming vulnerable to some of the multitude of attacks that take place daily.
We send a detective inspector to go shop to shop and business to business, in the high street or on a trading estate, and just go in and spend half an hour talking about some real basics. And that’s where we’ve had real success.Paul Peters, Cyber Resilience Centre for Wales
PT: What are the most effective ways of getting that message across?
PP: So we go to events and do presentations, and we work closely with people at the Federation of Small Businesses and Chambers Wales. But where we’ve had real success is through our community engagement days. These came about as a result of a presentation I gave to a roomful of accountants, who appeared to have good feedback and good engagement. But then only one actually signed up for a membership! Which was disappointing but, what really hit home was, we need to actually go to the business, and devote a bit of time to spend with them. So what we initiated in Wales, which I think has been replicated in a few other centres now, was sending a detective inspector that works for us – alongside a cyber protect officer for the local force and a police community support officer – to literally go shop to shop and business to business, in the high street or on a trading estate. And just go in and spend time – 20 minutes or half an hour – just talking about some real basics and offering the membership. And that’s where we’ve had real success – by actually going out to the businesses rather than just talking at them and waiting for them to sign up.
PT: What is the benefit of the CRC model – where the centres are led by police, but operate independently and work with the education sector and business groups?
PP: One of the things that’s really struck me is, as a career detective, when I came into this role I had about 26 years’ experience in policing – but none in setting up a company and running it. So, I’ve certainly had to learn a new skill set. And I think that helps understand the issues that are facing small businesses, and micro-businesses. Because effectively, I am running a micro-business myself. So, I have experienced the same pain – I’m probably using similar sort of software, and having similar concerns, whether it be understanding taxation or sales, or working on marketing. So I think that gives us a better understanding, which is beneficial. I also think, by operating as a not-for-profit company, we have far more flexibility to react, and try new things. And also the Cyber PATH part of the network – whereby we use local students or university students to actually deliver discounted services – that’s a key part of the model, which makes it really necessary, to operate in this way. Rather than try and do that within a police force or a government organisation where probably things wouldn’t move as quickly as we can move them in our small organisation and the rest of the network.
Does Wales – and your role in supporting its resilience – face specific cyber challenges?
PP: I’m based in south Wales, and I can get to London in two hours and 20 minutes. But it can take me six hours to get to places up in north Wales. But it’s really important that we do ensure that we are visible across Wales – because we’re not just a south Wales-centric centre. It’s important that we support businesses right across the country. We get some great support from the four police forces across Wales – who work with us, and support is. But the geography can be a challenge.
But I think we have other benefits; we work with Welsh Government, who are very supportive, and we’re currently working with them on an initiative in the social care sector, where they’re providing some funding, and we’re able put together a certain training package for the sector. There are challenges – but there’s also real benefits from having the support of a devolved administration.