Matt Hancock's cyber security speech at the Institute of Directors conference
Minister for Digital and Culture Matt Hancock's speech at the Cyber Security Speech Institute of Directors Conference in London
Hello and thank you for inviting me today.
Cyber security is such a crucial part of our modern economy. It’s something the Government is determined to get right, so it’s great to see the Institute of Directors tackling the issue.
When the IoD was founded in 1903, the world of communications was radically different. In fact, January of that year saw the very first ever transatlantic radio broadcast between the UK and the United States.
When Marconi sent those first radio signals, I wonder if he realised how pervasive and important globalised communications would become over 100 years later. I wonder also if he considered how important security would become.
He got an indication later that year, because in June, when demonstrating the sending of a radio signal from Cornwall to London, he was the victim of one of the world’s first hacks. A rival inventor, unimpressed by Marconi’s supposedly secure system, hijacked the demonstration by transmitting his own messages to Marconi’s morse code printer, in an act Marconi branded ”scientific hooliganism”.
This story is interesting for a number of reasons.
Firstly, the idea that someone could monitor or interfere with radio signals made Governments sit up and take notice. Ultimately this led scientists to develop systems of wireless encryption which were then used during the world wars - and encryption plays a crucial role today.
Secondly, it demonstrates a problem which still exists: the tension between wanting to quickly to get a new product onto the market, and the need to make it secure.
These are both issues with us today. They are at the heart of the Government’s recent National Cyber Security Strategy. Through the strategy we’re investing £1.9 billion pounds to defend in the UK in cyber space, deter our adversaries and develop our knowledge and capability in cyber security.
We know the scale of the threat is significant: one in three small firms, and 65% of large businesses are known to have, experienced a cyber breach or attack in the past year. Of those large firms breached, a quarter were known to have been attacked at least once per month.
It’s absolutely crucial UK industry is protected against this threat - because our economy is a digital economy. Over 95% of businesses are have internet access. Over 60% of employees use computers at work. The internet is used daily by over 80% of adults - and four out of five people in the UK bought something online in the past year. And we know the costs of a successful attack can be huge. My message today is clear: if you’re not concentrating on cyber, you are courting chaos and catering to criminals.
This is why cyber security is one of the seven pillars of the Government’s digital strategy, which we published earlier this month. The digital strategy aims to make Britain the best place in the world to start and grow a digital business. But it also makes clear we must take action on cyber security.
One of the key issues is the gap between awareness and action. Government research from last year found the vast majority of businesses said cyber security was a high priority for them - But…
• Only around half had taken action to address cyber risks;
• And fewer still had formal written cyber security policies, or incident management plans.
I know the IoD and Barclays are publishing a new report today which has similar findings. I hope you will use that report to drive action and awareness in your organisations.
Our aim is help businesses get the basics right, and encourage them to understand their cyber risks and manage them appropriately. This is one of the reasons we created the new National Cyber Security Centre, which aims to make the UK the safest place to live and do business online.
As well as protecting the UK at a national level, the NCSC, which is part of GCHQ, has a new role in supporting the “wider economy and society” - that is, the parts of industry and society the security services have not traditionally engaged with - including small and medium-sized businesses, charities and educational institutions.
Their door is open. We are making it as easy as possible to do this right, so there’s no excuse. Do please look at the practical, user-friendly advice is on the NCSC has on its website.
I want to highlight two things specifically which you can do.
Firstly, for getting the basics right, we created the Cyber Essentials scheme. GCHQ analysis shows the vast majority of cyber attacks exploit basic, known vulnerabilities, like passwords and admin access policies. Cyber Essentials shows you how to address those vulnerabilities. It’s simple, low cost and specifically designed for SMEs. All firms which rely on the internet should have Cyber Essentials - as a minimum.
The Government thinks this is so important we now require all our suppliers which handle sensitive data to hold a Cyber Essentials certificate.
Secondly, for managing cyber risk, we created the 10 Steps to Cyber Security guidance. This is about taking an organisational approach to cyber security and managing cyber as you would any other business risk. This is a board level issue, not one to delegate to the IT department. As directors and board members, you should all be engaged in this issue. I know the IoD has a role in promoting good corporate governance, so I commend the 10 Steps to Cyber Security and encourage you all to use it.
On Cyber Essentials, we’ll be launching a new push later this week to encourage all UK businesses to adopt the scheme. Numbers are really starting to grow. Already, we’ve awarded more than 6,000 certificates to date, with the numbers more than tripling in the past year. We’ll be publishing the figures on take-up each month from now on.
I mentioned the Government already requires many of its suppliers to hold a Cyber Essentials certificate. We’ll be strengthening this requirement to ensure even more of our contractors take up the scheme.
I can announce today that we will beef up our requirements for contractors to use the scheme. And I can also I’m pleased to announce that a number of the country’s biggest firms have also agreed to encourage their suppliers to adopt Cyber Essentials. These include Barclays, BT, Vodafone, Astra Zeneca and, Airbus Defence & Space, and Intel Security.
I think this is a powerful signal that the security of our suppliers is as important as our own security - the two things are inextricably linked. It is also a recognition that Cyber Essentials is an effective tool which can be built on to achieve greater security in our organisations.
To complement these new measures, we’ve also published updated Cyber Essentials requirements, to make the scheme easier to use. And we’ll be starting a marketing campaign on Friday to raise awareness and drive adoption of the scheme.
It’s important businesses and organisations take action. With the introduction of the General Data Protection Regulation next year, it’s crucial all organisations understand what data they have and ensure it is protected appropriately. Taking these actions I’ve outlined will help. There is further guidance on GDPR on the Information Commissioner’s website.
We also want to develop our national capability to deal with the cyber threat, which is why we are supporting the UK cyber security industry, which is worth nearly £22 billion and has a strong record on growth and exports.
We are funding a range of interventions to support the UK’s cyber security ecosystem, which help companies at different stages of the business lifecycle.
To help develop an initial idea into a commercial reality, the Academic Start-Up programme helps those in academia turn their research ideas into commercial products. There is also “HutZero”, an early stage accelerator, delivered by Cyber London and Queen’s University Belfast, to mentor individuals with early ideas and help turn them into workable proposals and potential new businesses.
To help turn a product into a start-up firm, we’re opening two Cyber Innovation Centres. The first in Cheltenham is already open, and features the GCHQ Cyber Accelerator. Successful applicants to the Accelerator gain access to GCHQ’s world-class expertise as they develop their products and grow their businesses. The London Innovation Centre will open later this year.
And to help early stage companies become Successful Companies we’ve partnered with the Digital Catapult to launch an “small business bootcamp” called Cyber 101, which offers Business Basics for Cyber Security small businesses and SMEs.
Finally, we’re working on an initiative to help put successful companies on the path to becoming into world-class enterprises.
The final piece in the jigsaw, and a crucial one if the industry is to continue growing, is tackling the skills shortage. We made some progress over the past five years by putting interventions to improve cyber security skills at every level of education. We’re now going further with a bigger strategic programme, which includes:
• A Cyber Schools Programme to identify talented and motivated 14-18 year olds, and help nearly 6000 of them become future cyber security professionals;
• Cyber Security Apprenticeships, to establish apprenticeships as a viable route into the cyber security profession. Our initial pilot this year attracted over 1000 applications for around 30 apprenticeships;
• And, a Cyber Retraining Programme to address the skills gap more immediately. This will help those already in the labour market change careers and become cyber security professionals in a short timeframe.
This work will be brought together in a Cyber Security Skills Strategy to be published later in 2017.
So we have a huge amount of activity underway. But ultimately this is something which can only be done through partnership between business and Government. So I look forward to continued working between IoD members and the Government, to help deliver our shared mission of making the UK the safest place to do business online. Thank you.