NCSC Archives - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

NCSC

NCSC: Prepare for the long haul on Russia-Ukraine

 960 640 Stuart O'Brien
By:
0
0

Cyber security experts have urged UK organisations to prepare for an extended period of heightened threat in relation to the Russia-Ukraine conflict as they published new guidance aimed at supporting staff resilience.

The guidance from the National Cyber Security Centre (NCSC) – a part of GCHQ – is the latest in a series of interventions which began in January with advice to help organisations bolster their cyber defences in response to the developing situation in and around Ukraine.

It sets out eight steps for sustaining a strengthened posture when systems, processes and the workforce remain under pressure, focusing on staff welfare as a direct contributor to maintaining an organisation’s resilience.

The NCSC assesses the cyber threat to the UK as a result of the conflict remains heightened and organisations are urged to not let their guard down and to consult the new guidance to prepare for longer-term resilience.

Paul Maddinson, NCSC Director for National Resilience and Strategy, said: “From the start of the conflict in Ukraine, we have been asking organisations to strengthen their cyber defences to help keep the UK secure, and many have done so.

“But it’s now clear that we’re in this for the long haul and it’s vital that organisations support their staff through this demanding period of heightened cyber threat.

“We have produced new guidance to help organisations do this, and I would encourage them to follow our advice to help sustain their strengthened cyber posture.”

The guidance is designed to be applicable to any period of sustained heightened cyber threat, including the one arising from events in and around Ukraine. A blog post, published today, sets out how the advice relates to the current geopolitical situation.

It advises that increased workloads for cyber security staff over an extended period can harm wellbeing and lead to lower productivity, with a potential rise in unsafe behaviours or errors.

The recommended actions in the guidance include:

  • Getting the basics right by following our ‘actions to take when the cyber threat is heightened’ guidance;
  • Revisiting risk-based decisions taken during the initial phase of heightened threat;
  • Empowering cyber staff to make day-to-day decisions about the threat response without requiring additional oversight;
  • Ensuring workloads are spread evenly across individuals and teams and that frontline cyber staff can take breaks to recharge;
  • And accelerating planned action to harden networks and boost defence capabilities

It also points to other NCSC guidance and resources to help organisations improve their longer-term resilience, including the 10 Steps to Cyber Security collection and Cyber Security Toolkit for Boards.

Huge leap in girls learning cyber security skills

 960 640 Stuart O'Brien
By:
0
0

The number of girls looking to learn new cyber security skills has surged this summer after courses went online for the first time.

The National Cyber Security Centre (NCSC) confirmed that the number of young people taking part in this year’s CyberFirst summer courses rose to a record-breaking 1,770 after they moved from the classroom to online.

And while the number of applications from boys saw a significant 31% rise, it was the increase in the number of girls applying which really caught the eye – rising by a massive 60% on 2019.

CyberFirst aims to ensure greater diversity in the next generation of cyber security specialists, and the summer courses offer 14 to 17-year-olds the chance to learn about digital forensics, ethical hacking, cryptography and cyber security challenges.

The new figures come one month after the NCSC pledged to take action to improve diversity and inclusion in the cyber security sector, as just 15% of the UK’s cyber security workforce are women and 14% of employees are from ethnic minority backgrounds.

Chris Ensor, NCSC Deputy Director for Cyber Growth, said: “I’m delighted to see that more young people are exploring the exciting world of cyber security, and it’s especially encouraging to see such a level of interest from girls.

“Our online courses have provided new opportunities for teenagers of all backgrounds and we are committed to making cyber security more accessible for all.

“Ensuring a diverse talent pipeline is vital in keeping the UK the safest place to live and work online, and CyberFirst plays a key role in developing the next generation of cyber experts.”

Digital Infrastructure Minister Matt Warman said: “It’s great to see so many young people taking part in the CyberFirst summer courses. These fantastic experiences give teenagers an insight into the exciting and varied careers on offer in cyber security.

”We want our cyber sector to go from strength to strength, so it is vital we inspire the next generation of diverse talent to protect people and businesses across the country.”

This year 670 more places were made available for the CyberFirst summer courses. The number of boys applying rose from 1,824 in 2019 to 2,398 this year, while for girls it went from 930 to 1,492 over the same period.

The annual initiative is offered at three levels: CyberFirst Defenders (for those aged 14–15), CyberFirst Futures (15–16), CyberFirst Advanced (16–17) – all aimed at helping pupils develop digital and problem-solving skills and introduce them to the cyber threat landscape.

This autumn, pupils interested in cyber security and computer science can look forward to a whole raft of opportunities from CyberFirst, as part of its ongoing commitment to inspire the next generation of cyber talent.

Other CyberFirst programmes include:

  • CyberFirst bursaries and apprenticeship schemes, which offer financial help for university-goers and paid summer work placements with over a hundred organisations to kickstart careers in cyber security. Applications are now live.
  • Empower Digital Cyber Week (9th-13th November), where students can watch and join online cyber sessions given by speakers in academia, industry and government.
  • The annual CyberFirst Girls competition, open to teams who want a fun and challenging opportunity to test their cyber skills in a bid to be crowned the UK’s top codebreakers. Registrations for the 2020-21 Girls Competition open on 30th November. More details about this year’s competition can be found on the NCSC’s website.
  • The government’s online cyber skills platform Cyber Discovery launched its latest intake in June and has already attracted over 13,500 students, with more than a third of registrations from female students. The programme, for 13-18 year olds, is a free and fun way for teens to develop cyber security skills. Students can register to join here: https://joincyberdiscovery.com/

NCSC reveals role play exercises to keep home workers cyber safe

 960 640 Stuart O'Brien
By:
0
0

Business owners are being urged to help keep their home working staff safe from cyber attacks by testing their defences in a roleplay exercise devised by the NCSC.

The ‘Home and Remote Working’ exercise is the latest addition to the National Cyber Security Centre’s Exercise in a Box toolkit, which helps small and medium sized businesses carry out drills in preparation for actual cyber attacks.

Launched last year, the toolkit sets a range of realistic scenarios which organisations could face, allowing them to practise and refine their response to each.

The latest exercise – the tenth in the series – is focused on home and remote working, reflecting the fact that for many organisations this remains a hugely important part of their business.

Sarah Lyons, NCSC Deputy Director for Economy and Society Engagement, said: “We know that businesses want to do all they can to keep themselves and their staff safe while home working continues, and using Exercise in a Box is an excellent way to do that.

“While cyber security can feel daunting, it doesn’t have to be, and the feedback we have had from our exercises is that they’re fun as well as informative.

“I would urge business leaders to treat Exercise in a Box in the same way they do their regular fire drills – doing so will help reduce the chances of falling victim to future cyber attacks.”

The exercise follows a range of products developed by the NCSC – which is a part of GCHQ – to support remote working during the coronavirus pandemic, including advice on working from home and securely setting up video conferencing.

The new ‘Home and Remote Working’ exercise is aimed at helping SMEs to reduce the risk of data compromise while employees are working remotely.

The exercise focuses on three key areas: how staff members can safely access networks, what services might be needed for secure employee collaboration, and what processes are in place to manage a cyber incident remotely.

Some of the most popular exercises include scenarios based around ransomware attacks, losing devices and a cyber attack simulator which safely imitates a threat actor targeting operations to test an organisation’s cyber resilience.

As part of the exercises, staff members are given prompts for discussion about the processes and technical knowledge needed to enhance their cyber security practices. At the end an evaluative summary is created, outlining next steps and pointing to NCSC guidance.

Exercise in a Box is an evolving tool and since it was launched the NCSC has continued to work on the platform. It has recently been given a new refreshed look to make it even more intuitive for users and soon micro-exercises – ‘bite-sized’ exercises that focus on a specific topic – will be added.

Jonathan Miles, Head of Strategic Intelligence and Security Research at Mimecast, said: “This new NCSC tool is a fantastic measure and will be welcomed universally as the threat of cyber attack continues to rise. In fact, our State of Email Security shows that 91% of UK organisations believe their organisation volume of web and email spoofing will increase in the coming year, while 59% of UK organisations have observed an increase in phishing attacks over the last year. It’s important that organisations prioritise cyber security, especially at a time where remote working has become the norm and connecting corporate devices via the home router becomes commonplace. This provides greater opportunity for malicious actors to infiltrate and obtain sensitive corporate data through unsecured home devices, so it’s important that businesses educate their staff on the tell tales signs of compromise and the benefits of good cyber hygiene practices.

“Regular cybersecurity awareness education is also key. Our State of Email Security report found 56% of organisations don’t provide awareness training on a frequent basis, leaving organisations incredibly vulnerable. This is supported by further research which found that enterprises that didn’t utilise Mimecast awareness training were 5x times more likely to click on malicious links as opposed to those companies that did. Often such training and education exercises may be viewed as burdensome or tedious, but it’s crucial that organisations work to change this perception and using tools such as these provided by the NCSC and others can significantly help. Our research has identified that awareness training, which is fun, interactive, and done in intervals can significantly help with retention, in addition to bolstering cyber defence in depth.”

You can sign up for Exercise in a Box or find out more about it on the NCSC’s website.

One million scam emails reported to NCSC

 960 640 Stuart O'Brien
By:
0
0

An influx of cryptocurrency investment scams is among a range of online threats which have been blocked as a result of more than 1 million suspect emails being reported by the public in just two months.

More than half of the 10,000 online links to scams blocked or taken down by the National Cyber Security Centre (NCSC) with the help of the public relate to cryptocurrency schemes, where investors are typically promised high returns in exchange for buying currency such as Bitcoin.

The scams have all been detected since the launch in April of the Suspicious Email Reporting Service, a tool which allows the public to forward suspect emails which may link to fraudulent websites.

The service, which was launched as part of the Government’s Cyber Aware campaign, has received a daily average of 16,500 emails and has now reached the milestone of one million.

While cryptocurrency scams – which cost the public millions of pounds annually – have been the main scam detected, there have also been numerous examples of fake online shops and spoofs involving brands such as TV Licensing, HMRC, Gov.uk and the DVLA.

NCSC Chief Executive Officer Ciaran Martin, said: “Reaching the milestone of one million suspicious emails reported is a fantastic achievement and testament to the vigilance of the British public.

“The kind of scams we’ve blocked could have caused very real harm and I would like to thank everyone who has played their part in helping make the internet safer for all of us.

“While it’s right that we should celebrate reaching this milestone, it is important for all of us to remain on our guard and forward any emails that don’t look right to report@phishing.gov.uk.”

Digital Secretary Oliver Dowden, said: “We are committed to making the UK the safest place to be online and are working tirelessly to defeat cyber criminals.

“I urge everyone to continue reporting suspicious emails and follow our Cyber Aware campaign top tips for staying secure online alongside our worl-leading National Cyber Security Centre advice.”

The Suspicious Email Reporting Service was launched as part of the Cyber Aware campaign, which promotes protective behaviours to keep your online accounts and your devices as secure as possible.

To use the reporting service, people are asked to simply forward suspect emails to report@phishing.gov.uk. If they are found to link to malicious content, it will be taken down or blocked, helping prevent future victims of crime.

Latest figures show that 10% of the scams were removed within an hour of an email being reported, and 40% were down within a day of a report. 10,200 malicious URLs linked to 3,485 individual sites have been removed thanks to the 1 million reports received.

The Suspicious Email Reporting Service was co-developed with the City of London Police. As well as taking down malicious sites it will support UK policing by providing live time analysis of reports and identifying new patterns in online offending – helping them stop even more offenders in their tracks.

NCSC publishes university threat assessment

 960 640 Stuart O'Brien
By:
0
0

The threats facing the UK’ universities and the steps they can take to protect themselves have been outlined in a report from the National Cyber Security Centre (NCSC), a part of GCHQ.

The NCSC’s threat assessment aims to raise awareness of state-sponsored espionage targeting high-value research, as well as the risk of financial losses at the hands of cyber criminals.

While the NCSC has been working with the academic sector on an ongoing basis to improve security practices, this is the first threat assessment it has produced specifically for universities.

The assessment notes that while cyber criminals using methods such as phishing attacks and malware pose the most immediate, disruptive threat, the longer-term threat comes from nation states intent on stealing research for strategic gain.

To mitigate the risks, universities are encouraged to adopt security-conscious policies and access controls, as well as to ensure potentially sensitive or high-value research is separated rather than stored in one area.

Measures to support universities have been outlined in Trusted Research, from the Centre for the Protection of National Infrastructure (CPNI) and the NCSC, which offers accessible and actionable cyber security advice for university leaders, staff and researchers.

Sarah Lyons, Deputy Director for Economy and Society at the National Cyber Security Centre, said: “The UK’s universities are rightly celebrated for their thriving role in international research and innovation collaborations.

“The NCSC’s assessment helps universities better understand the cyber threats they may face as part of the global and open nature of research and what they can do about it using a Trusted Research approach.

“NCSC is working closely with the academic sector to ensure that, wherever the threat comes from, they are able to protect their research and their universities in cyberspace.”

The assessment found that the open and outward-looking nature of the universities sector, while allowing collaboration across international borders, also eases the task of a cyber attacker.

Among the examples highlighted in the assessment was an attack from last year attributed to Iranian actors in which they were able to steal the credentials of their victims after directing them to fake university websites.

The attack took place across 14 countries, including the UK, and many of the fake pages were linked to university library systems, indicating the actors’ appetite for this type of material.

The assessment also highlights the financial damage which can be caused by cyber attacks on UK universities, citing previous figures from UK Finance which estimated that UK university losses from cyber crime for the first half of 2018 were £145m. 

The threat assessment for universities can be read here.

NCSC issues DoS attack guidance for business

 960 640 Stuart O'Brien
By:
0
0

Organisations worried about the threat of Denial of Service (DoS) attacks have been recommended to read guidance published by the National Cyber Security Centre.

Wikipedia suffered a suspected DoS attack on Saturday September 7th that resulted in intermittent site access for some users in the UK, Europe and the Middle East.

Advice for SMEs, large organisations, the public sector and cyber security professionals is available on the NCSC’s website.

When a website suffers a DoS attack, it will appear to users that the site has simply stopped displaying content. However, for businesses it could mean that the online systems they depend upon have ceased to respond. 

The collection of guidance published by the NCSC helps organisations mitigate against DoS attacks and outlines the importance of understanding your service, creating a response plan, scaling and monitoring. 

There is also guidance around the very minimal DoS response plan any organisation should have in place.

Image by Pexels from Pixabay 

NCSC details key wins in cyber security war

 960 640 Stuart O'Brien
By:
0
0

A scam to defraud thousands of UK citizens using a fake email address spoofing a UK airport was one of a wide range of cyber attacks successfully prevented by the National Cyber Security Centre (NCSC) in the last 12 months.

Details of the criminal campaign are just one case study of many in Active Cyber Defence – The Second Year, a comprehensive analysis of the NCSC’s programme to protect the UK from cyber attacks.

The thwarting of the airport scam was one example in 2018 of how ACD protects the public.

The incident occurred last August when criminals tried to send in excess of 200,000 emails purporting to be from a UK airport and using a non-existent gov.uk address in a bid to defraud people.

However, the emails never reached the intended recipients’ inboxes because the NCSC’s ACD system automatically detected the suspicious domain name and the recipient’s mail providers never delivered the spoof messages. The real email account used by the criminals to communicate with victims was also taken down.

In addition, a combination of ACD services has helped HMRC’s own efforts in reducing the criminal use of their brand. HMRC was the 16th most phished brand globally in 2016, but by the end of 2018 it was 146th in the world.

Dr Ian Levy, the NCSC’s Technical Director and author of the ACD report, said: “These are just two examples of the value of ACD – they protected thousands of UK citizens and further reduced the criminal utility of UK brands. Concerted effort can dissuade criminals and protect UK citizens.

“While this and other successes are encouraging, we know there is more to do, and we would welcome partnerships with people and organisations who wish to contribute to the ACD ecosystem so that together we can further protect UK citizens.

“This second comprehensive analysis we have undertaken of the programme shows that this bold approach to preventing cyber attacks is continuing to deliver for the British public.”

Introduced by the NCSC in 2016, ACD is an interventionist approach designed to stop cyber attacks from ever happening. It includes the programmes Web Check, DMARC, Public Sector DNS and a takedown service.

The ACD technology, which is free at the point of use, intends to protect the majority of the UK from the majority of the harm from the majority of the attacks the majority of the time.

Other key findings for 2018 from the second ACD report include:

  • In 2018 the NCSC took down 22,133 phishing campaigns hosted in UK delegated IP space, totalling 142,203 individual attacks;
  • 14,124 UK government-related phishing sites were removed;
  • Thanks to ACD the number of phishing campaigns against HMRC continues to fall dramatically – with campaigns spoofing HMRC falling from 2,466 in 2017 to 1,332 in 2018. These figures relate to 16,064 spoof sites in 2017 and 6,752 sites in 2018;
  • The total number of takedowns of fraudulent websites was 192,256, and across 2018, with 64% of them down in 24 hours;
  • The number of individual web checks run has increased almost 100-fold, and we issued a total of 111,853 advisories direct to users in 2018.

Chancellor of the Duchy of Lancaster and Minister for the Cabinet Office David Lidington said: “The UK is safer since the launch of our cyber strategy in 2016. Over the last three years, and backed by a £1.9 billion investment, we have revolutionised the UK’s fight against cyber threats as part of an ambitious programme of action.

“The statistics and examples in this report speak for themselves. They outline the tangible impact that Active Cyber Defence is having, and how it is a key building block in improving cyber security in the UK now, and in the future.”

The new report also looks to the future of ACD, highlighting a number of areas in development. These include:

  • The work between the NCSC and Action Fraud to design and build a new automated system which allows the public to report suspicious emails easily. The NCSC aims to launch this system to the public later in 2019;
  • The development of the NCSC Internet Weather Centre, which will aim to draw on multiple data sources to allow us to really understand the digital landscape of the UK;
  • We’ll explore developing an Infrastructure Check service: a web-based tool to help public sector and critical national infrastructure providers scan their internet-connected infrastructure for vulnerabilities;
  • NCSC researchers have begun exploring additional ways to use the data created as part of the normal operation of the public sector protective DNS service to help our users better understand and protect the technologies in use on their networks.

You can read the full 2019 report here.

Rob Norris, VP Enterprise and Cyber Security, Fujitsu, said: “Cybersecurity challenges aren’t slowing down and this annual report by GCHQ’s National Cyber Security Centre illustrates the magnitude of the problem. Cybercriminals today are creative and equipped with a multitude of tools helping them see their attacks through, making it vital for all organisations to think how they can safeguard their data and business assets.

“Unfortunately one of the simplest methods of stealing sensitive information is through a basic email phishing campaign, as proved by the fact that NCSC stopped 140,000 phishing attacks last year alone. This is partially because organisations still rely heavily on email to communicate both internally and externally, but also because of the human factor. Human behaviour is cited as the biggest challenge in email security, therefore it is imperative that businesses prioritise vigilance and awareness through education and training. 

“I would advise that some of the things we can do to identify suspected email security threats are hovering over the email hyperlinks before clicking to see the web address; blocking executable files and emails with large attachments; being mindful of password reset emails; and using a VPN when working remotely or using public WiFi. In today’s digital world, no one is immune from data theft, and being vigilant, both as an employee and as a consumer, is paramount.”

Female students flock to NCSC CyberFirst initiative

 960 640 Stuart O'Brien
By:
0
0

Nearly 12,000 girls aged 12 – 13 from across the UK took part in the competition in 2019, which was launched by the National Cyber Security Centre (NCSC) as part of the CyberFirst initiative.

The competition breaks down gender barriers by encouraging girls to engage with cyber security before they make their GCSE choices, with over 24,000 female students having taken part since the competition was launched in 2016.

Promising youngsters from across the UK have been attending cyber security courses throughout the year, with some securing bursaries and apprenticeships through the CyberFirst programme.

However, with only seven percent of the cyber security workforce being female, Minister for the Cabinet Office, David Lidingto, called for more to be done to encourage females within the sector. 

“There remains a severe lack of diversity in the cyber industry,” said Lidington.  “Cyber security is among the most important aspects of our national defence today, so we need talent from every part of society enriching our workforces.

“Women have been pioneers in security and technology, and we want to see this reflected in the cyber security sector too.”

An online learning tool has also been developed by the NSCC to help workers protect themselves from any potential cyber attacks.

Discussing the new software, Clare Gardiner, NCSC director of engagement, said: “We all have a part to play in making the UK the safest place to live and work online. Employees are vital in helping keep their organisations’ networks safe and need to be aware of how to protect themselves.

“Our recent Cyber Survey discovered that 25% of organisations don’t see cyber security as a top priority and we hope this tool will empower staff to start conversations around best practice. 

“Once people are more cyber literate as a whole, we hope to see this having a positive impact on the diversity of people that are interested in working in the sector.”

NCSC outlines data breach roles

 960 640 Stuart O'Brien
By:
0
0

Data breach roles have been outlined to help victims of cyber incidents and form an improved approach between the UK’s technical authority for cyber threats and its independent authority for data protection. 

Speaking at the second day of the National Cyber Security Centre (NCSC) annual conference CYBERUK, Chief Executive Ciaran Martin and Information Commission Office (ICO) Deputy Commissioner James Dipple-Johnstone outlined the understanding between the organisations.

The NCSC manages cyber incidents of national importance to reduce harm caused to victims and to the UK, help with managing the response and learn lessons to help deter future attacks.

The ICO is the independent regulator for the monitoring and enforcement of the General Data Protection Regulation (GDPR) and the competent authority for Digital Service Providers under the NIS Directive, meaning breached organisations should notify them of incidents, cooperate and take remedial action.

Amongst the commitments outlined were a greater clarity of the separate roles and responsibilities each organisation has after a cyber incident, making it easier for a victim to deal with the right authority/organisation at the right time.

The NCSC outlined plans to engage directly with victims to understand the nature of the incident and provide free and confidential advice to help mitigate its impact in the immediate aftermath; encourage impacted organisations to meet their requirements under GDPR and the NIS Directive, while reassuring organisations that the NCSC will not share information reported to them on a confidential basis with the ICO without first seeking the consent of the organisation concerned and help the ICO expand their GDPR guidance as it relates to cyber incidents.

The ICO stated it would focus its early stage engagement to the vital steps required to help ensure impacted organisations mitigate risks to individuals and stand up an effective investigation and establish circumstances of the incident, making sure that organisations have adequately protected any personal data put at risk and in circumstances of high risk to individuals organisations have properly met their legal responsibilities.

Both organisation should share duties, including the sharing anonymised and aggregated information with each other to assist with their respective understanding of the risk and commit to amplify each other’s messages to promote consistent, high quality advice to ensure the UK is secure and resilient to cyber threats.

Discussing the roles outlined,NCSC Chief Executive Ciaran Martin said: “This framework will enable both organisations to best serve the UK during data breaches, while respecting each other’s remits and responsibilities.

“The development of this understanding is as a result of a constructive working relationship between our organisations, and we remain committed to an open dialogue on strategic issues.

“While it’s right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim.”

ICO Deputy Commissioner – Operations, James Dipple-Johnstone, said: “It’s important organisations understand what to expect if they suffer a cyber security breach.

“The NCSC has an important role to play in keeping UK organisation safe online, while our role reflects the impact cyber incidents have on the people whose personal data is lost, stolen or compromised.

“Organisations need to be clear on the legal requirements when to report these breaches to the ICO, and the potential implications, including sizeable fines, if these requirements aren’t followed.”

The NCSC will seek to forge similar enhanced clarity on its working relationship with law enforcement colleagues who are at the core of the response to malicious data breach incidents.

National Audit Office raises cyber security concerns

 960 640 Stuart O'Brien
By:
0
0

The National Audit Office (NAO) has revealed failings in the way the Cabinet Office established its current cyber security programme, with the government unclear whether it will meet programme objectives along with issues surrounding its cyber-attack strategy after 2021.

The UK has one of the world’s leading digital economies, the report asserts, making it more vulnerable to cyber-attacks from hostile countries, criminal gangs and individuals, which continue to increase and evolve as it becomes easier and cheaper to launch attacks.

The National Cyber Security Strategy 2016 (the Strategy) outlines how the government aims to make the UK more secure online. The £1.9 billion Strategy includes £1.3 billion of funding for the National Cyber Security Programme 2016-21 (the Programme) and the NAO report assesses progress just beyond the mid-point of the five-year Programme.

The Programme provides a focal point for cyber activity across government and has already led to some notable innovation, such as the establishment of the National Cyber Security Centre (NCSC).

The Programme has also reduced the UK’s vulnerability to specific attacks. For example, the NCSC developed a tool that led to 54.5 million fake emails being blocked in 2017-18 and the UK’s share of global phishing attacks falling from 5.3% to 2.2% in two years.

However, despite agreeing an overall approach to cyber security as part of the 2015 Strategic Defence and Security Review and Spending Review, the NAO says the Cabinet Office did not produce a business case for the Programme before it was launched.

The NAO says it is unclear whether the Cabinet Office will achieve the Strategy’s wider strategic outcomes by 2021. This is partly due to the difficulty of dealing with a complex and evolving cyber threat but also because it has not assessed whether the £1.9 billion of funding was ever sufficient. It has acknowledged that it may take longer than 2021 to address all the cyber security challenges set out in the Strategy but does not yet know when these might be achieved.

The NAO recommends that, going forward, the Cabinet Office establishes which areas of the Programme are having the greatest impact and are most important to address, and focuses its resources there until 2021. Building on existing work, it should consult widely and develop a strategy for UK cyber security after 2021 which clearly sets out which work should be centrally-funded, which are private sector responsibilities and which are core departmental activities. It should also consider more flexible approaches to cyber security that involve a mixture of shorter programmes, so that it can be more responsive to changing risks.

“Improving cyber security is vital to ensuring that cyber-attacks don’t undermine the UK’s ability to build a truly digital economy and transform public services,” said Amyas Morse, Head of the NAO. 

“The government has demonstrated its commitment to improving cyber security. However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021. Government needs to learn from its mistakes and experiences in order to meet this growing threat.”