Cybersecurity is still not taken seriously enough by organisation leaders, the new National Cyber Security Centre (NCSC) head has warned in her inaugural speech.
Lindy Cameron took over as chief executive of the agency in October, succeeding Ciaran Martin who led its creation in 2016.
Despite “huge progress”, the UK must not be complacent in the face of developing threats and new challenges, Ms Cameron will say in a virtual speech for Queen’s University Belfast on Friday.
She will highlight the recent SolarWinds attack which targeted several US government agencies, as well as a Microsoft Exchange mail server vulnerability as examples of the real dangers still lurking.
“As our reliance on technology grows, it sadly also presents opportunities for those who want to do us harm online,” she will say.
“Ransomware remains a serious and growing threat, both in terms of scale and severity.
“You will have seen that earlier this week we published further practical guidance to the education sector after seeing a growth in ransomware attacks against schools, colleges and universities.
“Ransomware is not just about fraud and theft of money or data, serious as both are. It’s about the loss of key services and unenviable choices for unprepared businesses.”
Ms Cameron will suggest that basic cyber-hygiene is as important a life skill as knowing how to wire a plug, saying “we’re all too aware that cyber-skills are not yet fundamental to our education”.
Setting out her vision for the NCSC – which is part of GCHQ – she will say: “The cybersecurity landscape we see now in the UK reflects huge progress and relative strength, but it is not a position we can be complacent about.
“Cybersecurity is still not taken as seriously as it should be, and simply is not embedded into the UK’s boardroom thinking.
“The pace of change is no excuse – in boardrooms, digital literacy is as non-negotiable as financial or legal literacy. Our CEOs should be as close to their CISO (chief information security officer) as their finance director and general counsel.”
She will say: “The National Cyber Security Centre – launched five years ago – is now a firmly embedded part of the UK cybersecurity landscape. We no longer need to prove the concept, but in what will be a challenging period of economic recovery, we need to change the dial on the outcomes we seek, and look much further ahead to the generational change that is needed.
“We need to ensure that the fantastic science and technology envisioned in the Integrated Review is protected from theft or acquisition by hostile states.
“We need to ensure that our critical infrastructure, which keeps the country working through thick and thin, is a hard target for those that would seek to disrupt it.
“We need to ensure that the ever-increasing amounts of data generated and processed by the internet services we use every day are properly protected and our privacy appropriately managed.
“We need to ensure that the next generation of commodity technologies don’t repeat the security mistakes of the past.
“We need to ensure that our adversaries – be they state or criminal, traditional or new – think twice before attacking UK targets. And we need to ensure that future generations are better equipped to deal with this complexity than any of their predecessors.”
The NCSC is the UK’s lead authority on cybersecurity, overseeing the response to cyberattacks and improving the cyber-resilience of the UK’s national infrastructure.
Ms Cameron previously served as director-general of the Northern Ireland Office, as well as working at the Department for International Development (DfID), responsible for programmes in Africa, Asia and the Middle East, which included work in Iraq and Afghanistan.