Firewall is good news for all, but hiding behind it will not be an option, says NIG director of underwriting and pricing Justin Clarke
Earlier this year, a National Audit Office report criticised the government’s data security measures as chaotic.
The report concluded that the government “need to introduce a cohesive risk management exercise… and consider technologies and strategies to mitigate the risks identified”.
A new security centre
The government responded to the criticism by setting up the new National Cyber Security Centre (NCSC), a public facing department of the government communications headquarters (GCHQ).
Protecting UK cyber security by establishing a ring of cyber steel is, on the face of it, good news for all UK businesses.
The NCSC’s first initiative will be what the media has dubbed the Great British Firewall.
As GCHQ sees it, private sector internet service providers such as BT, Sky and Virgin Media will provide the firewall and identify and filter out malicious content.
This large-scale approach to cyber security has, not surprisingly, worried civil liberty groups. They argue that the initiative gives GCHQ too much say over which sites are malicious, and too much power to silence sites the government disapproves of.
It did not help that GCHQ’s NCSC chief executive Ciaran martin announced the firewall at a conference in Washington with officials from the US National Security Agency (NSA).
GCHQ and the NSA already have a track record of intrusive joint hacking operations. As one commentator put it, “this seems like the fox protecting the chicken”.
Government controlled, private sector supplied
Martin argued that initiatives addressing privacy concerns and citizen choice should be private-sector led because “the government does not own or operate the internet”.
Whether you see his statement as a concession to civil right groups, or an admission that NCSC and GCHQ do not have the resources to maintain such a comprehensive firewall themselves. This depends on your point of view.
Will it protect SMEs?
The firewall, Martin contends, will not just benefit government sites and those industries crucial to national security, it will also protect major private companies. However, his speech failed to mention any benefits to UK SMEs.
Even if the Great British Firewall makes the UK less vulnerable to cyber attacks, it will be little comfort to SMEs worried about the impending EU GDPR (General Data Protection Regulation) which will come into force in May 2018.
Hiding behind the Great British Firewall, even if extends to SMEs, will not be an option.
Firstly, as BeCyberSure technical director Graeme McGowan confirms, the GDPR stipulates that even if a company outsources its data security, it is still ultimately responsible for any failure.
Secondly, Martin sees the firewall providing scaled-up DNS (domain name system) filtering, to catch and prevent high volume attacks such as the malicious emails with fake @gov.uk addresses.
Describing this policy as an active cyber-defence, Martin said that they trialled it and that “whoever was sending 58,000 malicious emails per day from firstname.lastname@example.org… isn’t doing it any more”.
That is fine if such an email is blocked en route to your business, but it will still leave you vulnerable to more sophisticated and selectively targeted spam.
McGowan reiterates that SMEs, however hard pressed, must take responsibility for their own cyber security.
He also said that “due to their lack of scale or deep pockets, SMEs are the most vulnerable to cyber attack and data breach”. SMEs are often easy targets as “management is not engaged, defensive sophistication is lower, technical defences will be out of their financial reach, and training budgets are frequently non-existent”.
However SMEs can take simple steps to improve information security. This would greatly reduce the changes of SMEs becoming a target and a victim.
A firewall that’s not for all
The Great British Firewall may sound like an impressive bulwark against the threat of ill-intentioned cyber invaders, but its defences are not likely to provide SMEs with much protection.
As Graeme McGowan concludes, “a combination of engaged management, good governance and effective education and training is a critical aspect of your information security efforts”.
Once again, SMEs will be responsible for their own cyber destiny.