Lord St John of Bletso (CB)

- Hansard -

Copy Link

-

My Lords, I too thank my noble friend Lord Waverley for introducing this topical and important subject. I declare my interests in cybersecurity as listed in the register. Unlike other noble Lords, I wish to devote almost all my remarks to the impact of cyber threats on the economy, in particular on small and medium-sized enterprises.

I first became aware of the growing threat of cybercrime back in 2001 when I managed a few data centres for a large data provider, an ISP, here in London. Our clients, most of which were SMEs, required reliable, 24/7, secure web hosting with high-speed broadband. Many of them were being targeted by what were then referred to as “botnet cyber threats”. For noble Lords who are unaware of what a botnet threat is, it is otherwise known as a distributed denial of service attack. I built a team of tech experts to engineer DDoS mitigation tools, which countered the threat at the time. Since then, however, cybercrime against businesses and individuals has become significantly more intrusive and dangerous over the years.

SMEs make up 60% of all employment in the United Kingdom. Last year, it was reliably reported that 45% of all SMEs identified cyber breaches, costing many hundreds of millions in financial and reputation costs. Sadly, far too few SMEs have effective security measures in place, nor do they carry out regular effective cybersecurity training—a point mentioned by the noble Lord, Lord Lucas, and a few others. Therefore, they are particularly vulnerable to even the most basic cyberattacks.

As we know, cybercriminals are increasingly targeting individuals for their credit cards and in other frauds. According to a report by Thales, the United Kingdom is the most breached country in the EU, but most UK businesses are blissfully naive and complacent about the increasing threat. The noble Lord, Lord Browne, drew attention to the Government’s five-year National Cyber Security Strategy, which they published in November 2016 when committing to invest £1.9 billion in cybersecurity. While I respect that the National Cyber Security Centre has provided excellent guidelines and advice to SMEs, many would argue that the laudable commitments are targeted more at big businesses and critical national infrastructure, with insufficient focus on SMEs.

We are living through a digital revolution. We have artificial intelligence, autonomous vehicles, drones, biotech, blockchain, the cloud and the internet of things, which has resulted in an ever more interconnected world. It is forecast that, by 2020, 50 billion devices will be interconnected around the world as a result of the internet of things. Technology is ever more critical to the UK and our digital economy has grown 2.5 times faster than the rest of the economy over the last 10 years. The digital tech sector is worth nearly £184 billion to the UK economy. But I stress that our dependence on technology has come at a cost. It was recently reported by CNBC, from a reliable global survey, that the cost of cybercrime to the world today has reached as much as $600 billion a year, which is 0.8% of global GDP. In this country we have seen attacks on our critical national infrastructure and we need to be increasingly vigilant of this increased threat. We should be cognisant of what my noble friend Lord Ricketts mentioned: the risk of a category 1 incident.

I mentioned that individuals are increasingly being targeted by cybercriminals. I understand that 91% of cyberattacks are delivered by email, putting anyone with an email account in the firing line of cybercriminals. I entirely agree with the comments by the noble Lord, Lord West: cybersecurity is about risk management. In this regard, it is increasingly important that individuals are better informed about simple IT housekeeping, such as regularly changing their email account passwords—a point made by the noble Lord, Lord Borwick—downloading basic security software and regularly backing up their data. This alone would substantially reduce the risk from most cybersecurity breaches.

Online data has pushed identity theft to a record high in the UK. The anti-fraud agency CIFAS has said that ID theft cases rose by 1% last year to almost 175,000, with eight out of 10 cases using information found online. This represents a 125% rise over the last 10 years. Phishing remains the number one threat action. Almost half of UK manufacturers have fallen victim to cyberattacks and many more attacks go unreported or unrecorded, according to the manufacturing trade association, EEF.

Under GDPR, introduced in May this year, the fines businesses can face for data security breaches are crippling. Two years ago, following the TalkTalk hack, the company was fined £400,000; under the new GDPR fines schedule, this would be nearer to £60 million. Last year, Lloyd’s of London estimated that a major global cyberattack on a cloud provider could lead to losses of around £40 billion. The majority of these losses are not currently insured. The police and the security services are implementing the Prevent strategy to increase awareness across businesses.

Despite the massive need to sustain our digital economy there is a huge skills gap, which seems to be widening. In a recent poll, nearly half of all organisations admitted they had a chronic shortage of IT security professionals, and 70% thought this had a significant impact on their business. Uncertainty over Brexit is also exacerbating the lack of digital skills in the domestic economy, with a lot of IT talent looking to move elsewhere. We need a far more innovative approach to bridge the cyber skills gap, and I wholeheartedly agree with the noble Lord, Lord Lucas, on the need for more training. Wide-ranging training is key for businesses of any size attempting to counteract cyber threats. It is the responsibility of everyone within a company to protect not only the company but its data. All staff, not just IT or security staff, need to be aware of what to do—and what not to do—to make sure that breaches do not happen either accidentally or on purpose.

In my opinion, within the business community there should be company-wide strategies, from the chief executive down, for dealing with and in readiness for the outcomes of a cyberattack, should the worst happen. Equally, despite the national cybersecurity initiative, a lot more should be done in both the private and public sectors to promote cyber awareness, enhance the cyber skills gap and invest more in measures to protect the critical national infrastructure. Initiatives such as TechVets, which helps military veterans into technology and cybersecurity roles, are a great way to harness unrealised pools of human resource potential.

I noticed in the very useful briefing from the House of Lords Library that the UK has committed to working in close collaboration with its international allies, including—as a member of the EU—its partners in NATO, to improve cybersecurity. Can the Minister give a reassurance that after our exit from the EU, our Government will continue their cyber co-operation with our counterparts across Europe? In conclusion, I am not trying to be a doomsayer; I am simply advocating being proactive rather than reactive.