News

News > Western Mail article with Cardiff Business Club guest Paul Chichester, Director of Operations, NCSC

Western Mail article with Cardiff Business Club guest Paul Chichester, Director of Operations, NCSC

Date Posted: 15 March 2017 Western Mail article with Cardiff Business Club guest Paul Chichester, Director of Operations, NCSC

 

This article appeared in The Western Mail (Wednesday, 14th March 2017)

 

SMEs in Wales need to take the cyber threat seriously or risk losing their businesses in a single click

 

Cyber crime cost UK businesses £11 billion in 2015 yet 9 in 10 don’t have an effective incident management plan in place

Businesses in Wales are more vulnerable to a cyber attack than they may think and failure to adequately protect themselves could cause irreparable damage to many small businesses, according to Paul Chichester, Director of Operations at the National Cyber Security Centre (part of GCHQ).

Addressing over 250 business leaders at Cardiff Business Club, Mr Chichester warned that cyber crime is becoming increasingly sophisticated. Yet despite wanting to do the right thing and stop themselves from being attacked, very few businesses - just 1 in 10 - actually have an incident management plan in place to cope with a cyber threat.

“Business leaders in Wales and throughout the UK haven’t really planned for the worst case scenario,” said Mr. Chichester. “What would happen if tomorrow your systems have ransomware on them and they are all encrypted – what impact could that have on your business?

“Increasingly businesses are facing situations where all their data has been encrypted and they will never get it back. This could even seen them going out of business.”

Echoing the sentiment of the Chancellor of the Exchequer, Philip Hammond who said that businesses need to “sharpen their approach” to cyber security when he spoke at the official opening of the National Cyber Security Centre (NCSC) in February, Mr. Chichester urged businesses to “plan ahead, back-up their data and really think about how they want to respond.”

He said: “You don’t want to be think whether or not you will have to pay a ransom when you’re being asked to pay; you want to be able to make that call before an attack takes place."

Originally from Cardiff and a graduate from Swansea University, Mr. Chichester has spent the last 25 years working in the cyber security space and he has been at the forefront of every major cyber investigation in the UK over the last two decades.

But the last few years has seen cyber security force its way to the top of the political agenda, with cyber crime costing UK businesses £11 billion in 2015.

“In 2010, the Strategic Defence and Security Review [SDSR] prioritised cyber security and committed to spending £860 million over a five-year period. By the time the next SDSR came around in 2015, it was recognised that while the commitment made five years earlier was a great start, cyber security had since become even more of an issue.”

As such, then Chancellor of the Exchequer George Osborne increased the level of investment in cyber security to £1.9 billion up to 2020.

“Back then, cyber crime was still to some degree classed as being a niche crime - criminals very much saw it as a way of making relatively small amounts of money.

“Now the challenge we face from criminals in this space is the awareness that the global economy is built on technology and there are those whose actions are generating, in some case, tens and hundreds of millions of pounds via cyber space.”

However, against this backdrop, there remains a dis-connect among businesses – especially within the SME community - between recognising the seriousness of the threat and knowing where to seek help and support should a breach occur.

In Wales there are over 238,000 active businesses, 99.3% of which are SMEs – many of whom do not consider themselves a potential target for cyber attack. But this is not the case, as Mr. Chichester explained to the Cardiff Business Club audience.

“We need to overcome perception that cyber security is some sort of dark nation state sort of thing that doesn’t have any impact on SMEs.

“Arguably it is as- if not more- important for SMEs because through one single vulnerability an SME could potentially lose all of its company data. If that business is left unable to service their customers for a week they then risk losing not only that custom but their business altogether.

“So cyber security for SMEs is absolutely critical and in Wales it is perhaps more important than anywhere.”

Increasing awareness of the threats posed both at business and individual level is an area of key concern for the newly opened NCSC.

“The government was looking for something ‘transformative’ - something that would represent a step change in how the UK was responding to the cyber security threat,” said Mr. Chichester.

“By bringing a number of disparate parts of the government machinery together into a new single centre [the NCSC], we are now able to serve as a front door for advice and help, irrespective of whether they are a citizen or business wherever in the UK they are.”

That said, while the government is there in a supportive and guidance role, business leaders must also play their part in helping to combat the problem, with Mr. Chichester keen to stress the need for more user awareness and user education.

As he put it: “Every business holds customer information - data that cyber criminals will want to get hold of and ransom. After all, it only takes one employee to click a link to facilitate a breach, so we each have a responsibility as a government, as businesses and as individuals.”

He added: “Changing behaviour en masse is not something that will happen overnight. We need to keep chipping away at it. Cyber needs to be personal to each one of us and business leaders have a responsibility to protect their employees as well as the organisation itself.

“Companies can take a leading role in helping educate their employees in thinking about the risks both at work and at home. So educating and informing individuals about cyber security and the steps they can take to reduce the risk such as those caused by personal devices [bring-your-own-devices - BYoD] - the so-called ‘enemy within’ - all play an important role.”

The cyber sector is currently worth over around £33 billion a year and this presents a number of opportunities for Welsh and UK businesses.

“While there is a huge growth in demand for those with the cyber skills we need, the UK can take a leading role. We have a rich heritage as being at the forefront of technological development and by investing in future talent we can make the UK a world leader in this field.”

But, as criminals become increasingly sophisticated, leaders need to fully realise the impact that a cyber attack can have on their businesses, he told Cardiff Business Club.

“We want to make the whole of the UK the safest place to live and work online. But Boards need to manage the security risk of the organisation in the same way as they manage its financial risk.

“Cyber security is a Board-level risk and should not be left to the IT department. The digital world has already changed our lives, and will it do more so in the future.”

Top