State of UK’s cybersecurity examined at CPX London 2023

Alongside mentions of generative AI used by the likes of online sensations ChatGPT and its potential to be utilised in attacks, attendees heard talks from Virgin Atlantic’s CISO on his strategy building their cybersecurity, best practices for cyber resiliency, and the state of the UK’s cybersecurity. 

Lead by Scottish Government Cyber Advisory Board member and Check Point’s own CISO Deryck Mitchelson, attendees got an intimate look at the situation the UK cybersecurity finds itself in and what’s coming over the horizon. 

“The two most expensive attacks to manage and come back from are email attacks,” Mitchelson told the audience. In 2017, a coordinated attack dubbed ‘the WannaCry outbreak’, afflicted over 200,000 computers in over 150 countries. This went on to cost the UK £92 million. The ransomware was often delivered via emails that tricked the recipient into opening attachments and releasing malware onto their system. This is the same malware that captured the nation’s attention when it went on to hack the NHS and encrypt thousands of files, resulting in missed appointments and potential dissemination of confidential information.  

Despite the UK being a technologically developed country, and lessons should have been learnt, it seems that these issues are still cropping up. Mitchelson went on to show statistics that many small and medium sized enterprises don’t have adequate cybersecurity strategies in place. This was evidenced when in January of 2023, news broke that the Information Commissioner's Office was investigating up to 14 issues of hacks against schools in 2021 and 2022 that saw the potential leaking of student information and even passport scans.  

So, what should businesses and CISOs be looking at now for their cybersecurity needs? “I think now you need to get your zero trust strategy. Now more than ever before,” Mitchelson states. 

Listing the types of attacks organisations need to be aware of– phishing attacks, malware attacks, DDoS attacks, ransomware etc–Mitchelson emphasises the limiting effect zero trust systems can have on containing these attacks. When Uber was hit with a phishing attack in 2022 in which a hacker gained an Uber employee’s credentials and could then gain access to information throughout the system, zero trust began being touted as more of an essential than an added feature. With a zero trust cybersecurity model, the hacker’s lateral movement within the network would be limited as the network would be segmented and each segment would have security policies.  

Yet cybersecurity is not just reactive, Mitchelson states. He goes on to list recent action taken by US government agencies to try and curb illegal online activities – like closing down crypto exchanges to deny hackers funds and even publishing the names of known hackers. 

Although, Mitchelson goes on to lament current UK inertia in comparison. “We want to be global leaders, not just talk about it. We need to be more proactive”. Yet in this comparing of the UK’s government action on cybersecurity, the talk turns to the Cyber Security Strategy published last year. In it, Mitchelson praises the encouraging promises made and the recognition to learn from the EU’s comprehensive NIS Directive. 

Then, to round off the talk, Mitchelson leaves the audience with some food for thought by bringing in something topical to the talks: generative AI. With a number of leading experts like Google’s recently departed Dr Hilton and even ChatGPT’s CEO Sam Altmann warning of the dangers of this AI if left unrestricted, Mitchelson, stressing the importance of cybersecurity, posits: “Imagine if hackers gained unrestricted access to these companies currently stewarding these programmes.”