The war on Ukraine has forced topics around cyber preparedness within government organisations and owners or providers of critical national infrastructure (CNI) to the fore, but in the UK in particular, such bodies face big problems in areas around skills and expertise, which are creating barriers to improvement.
This is according to a report compiled by Trellix – the artist formerly known as McAfee – and pollsters Vanson Bourne in late 2021, which gathered the opinions of hundreds of security pros at government agencies and CNI organisations in France, Germany and the UK. Even though the fieldwork was conducted months before Russia’s attack on Ukraine, the issues it raises are highly relevant in the context of the war.
“Cyber attacks are as much a part of modern warfare as the use of physical weapons. Attacks against critical infrastructure are nothing new, but the last few months have opened more eyes to the activities of many governments and hacking groups as they directly target those assets and systems vital to a nation’s economic security, safety and public health,” said Trellix Europe, Middle East and Africa (EMEA) vice-president Fabien Rech.
Trellix found that 41% of UK respondents said a lack of staff resources was the biggest barrier to implementing new cyber solutions, while 39% identified a lack of trusted partner suppliers to assist, and 35% said they lacked sufficient implementation expertise.
In France, security pros tended to find tender and bidding processes more of an issue, but also cited a lack of trusted partners, budget, and ignorance of cyber among organisational leadership. German responders also faced problems with tendering, and similar problems to both the British and French.
From a technological perspective, UK-based respondents cited endpoint detection and response (EDR) and extended detection and response (XDR) and cloud security modernisation as the most mature defensive solutions, with 37% saying they were “fully deployed” in this area. Zero trust tailed with 32%, and multi-factor authentication (MFA) was cited by 31% – Brits tended to think MFA was more difficult than average to implement, as well.
The French, on the other hand, are doing much better on MFA, with 47% of respondents claiming full deployment, 35% saying they had fully deployed EDR-XDR, and 33% and 30% saying they had fully implemented cloud security modernisation and zero trust respectively.
In contrast to this, the Germans tended to be better on cloud security modernisation, which 40% claimed to have fully implemented, followed by zero trust at 32%, MFA at 30% and EDR-XDR at 27%.
Supply chain risk and government support
In other areas, respondents from all three countries tended to identify software supply chain risk management and processes as difficult to implement, particularly in light of high-profile incidents such as the SolarWinds attack, and there was also agreement that there was too little oversight over how security products are developed and where.
Majorities from each country also agreed that it was on governments to prescribe higher standards in software cyber security, although these were tempered with concerns that, among other things, government suggestions and timelines would be difficult to meet, and that too much oversight would hurt their ability to think for themselves.
Survey respondents did, however come out strongly in favour of formalised, government-led security initiatives, all thinking such programmes would lead to improved protection.
Overwhelming majorities in each country also called for improvement in how the public and private sectors partner and interact on security issues – Brits, incidentally, were particularly keen on mandatory incident notification and liability protection, and respondents from all three countries tended to favour more defined cooperation and support during ongoing attacks.
Rech noted in particular the UK’s ambitions to be a “leading cyber power” by 2030, but said that cyber criminals and nation-state adversaries alike were upping the ante, so this needed to be accelerated.
“Government-led initiatives have an important role to play, but it will also be down to organisations across every sector – particularly those in critical infrastructure – to facilitate the sharing of threat intelligence as well as make the most of advanced cyber security technology and the adaptive protection it enables,” he said.
“Static, siloed security falls short against the agile approach cyber criminals and nation-states employ for their dirty tactics. The government and UK organisations will need to not only collaborate, but also ensure their security teams are able to respond quickly with security that spots, stops and adapts quickly to incoming threats. This will be core to government agencies and critical infrastructure providers remaining resilient and ready to fend off new attacks which come their way.”