CBI conference key note speech
It’s great to be here, back speaking at the CBI at the second annual CBI Cyber Conference. It’s telling that the CBI is now running an annual conference and important that is does so.
Cyber Security has been an issue I’ve been involved in for some time. Both in my previous role as Paymaster General, with responsibility for tech inside Government, and now in my role as Minister for Digital and Culture responsible for tech and digital across the wider economy.
You mention my first job was in software, my family software business. These were in the days before the Internet so things were a little different. But I would say you listed the speakers today saying there were many many business speakers and you didn’t, perhaps to be gentle to me, put and a Government minister.
But this point is important, because ultimately cyber security is only something that can be done through partnership between business and Government.
You at the CBI represent a third of our private-sector workforce - nearly 200,000 businesses. And you serve them well by working in partnership with Government to keep them secure in this digital age. Because there are things we can do and things you can do and it is vital we understand each other’s roles in that.
I think it’s worth taking some historical perspective.
When I first worked in tech we were just moving from the quarter of a mb disks that were actually floppy, to 1.4mb and over. The biggest desktop had 30mb storage, and few of them were connected to each other.
When the CBI was founded in 1965, cyber security was hardly even a concept. The world’s first commercial 16-bit computer had only gone on sale that year. At $28,000, it was the size of a small car. It held just 30 megabytes of storage - barely enough for a short video on YouTube.
The progress since has been incredible. This point is important - we must never put cyber security in a different box than the wide application of the Internet. The phones in our pockets are now more powerful than the computer which took the first men to the moon - and each of us can now connect to virtually anywhere in the world. And as everybody in this room, and I can say that confidently despite not having personally met you all, is connected a huge proportion of the time - and this is a good thing.
Our lives have been transformed by Internet technology - not least how we do business. The Internet helps drive our economy, enabling industry to create and innovate, making it easier to start a business and to find and connect with customers. We in the UK are now world leaders in online commerce. Last year, 4 out of 5 UK citizens bought something online. If you think just ten years ago confidence in online retail was something brought into question, now is deemed automatic that it is safe and secure. So we always have to have that context, that cyber security is challenge within a sphere of huge opportunity.
But businesses are being attacked for their finances, their intellectual property, their customer data. Our latest research shows one in four of all businesses experienced a cyber breach or attack in the past 12 months. A quarter of large firms are hit at least once every month. That impacts not only on their cash flow - the cost of individual attacks can be enormous - but on their brand and reputation. As I’m sure you can discuss with those who have been successfully breached.
So, how are we going to protect our networks at home and abroad.
I want to touch on a few points. Firstly, what Government is doing - and how you can help.
We’re investing £1.9 billion in the protection of UK cyber space.
Since the first national cyber security strategy in 2011, a five-year long strategy, we’ve transformed the awareness of the cyber threat. Nearly half of our top businesses now treat cyber attack as a top risk (up from 29 per cent in 2014) and nearly two-thirds report on cyber security in their annual reports. Frankly, I want to meet the other third and ask why they don’t.
But there’s more we can do to get cyber security engrained in the business culture.
Not just in the IT departments. Not just in GCHQ when it comes to Government, but at the top level around the board table, engaging staff at all levels.
Because, ultimately, cyber risk is your data risks. And cyber security is an issue for business owners, CEOs, for Board members alike. It should be managed just as any other corporate risk. As well as putting funding in, we’ve also set out clear guidance. Our “10 Steps to Cyber Security” shows an organisation of any size how you can take the steps that are deemed necessary. If you’ve never seen this guidance before then have a look it up on the free WiFi and make sure you use it.
We also have the Cyber Essentials scheme. We try to make it as easy as possible for businesses to be safe online.
Ultimately the truth is this: The majority, the vast majority of cyber attacks exploit basic weaknesses, whether it is in software, in systems or in people. All organisations need good basic cyber security. This can tackle the vast majority of attacks.
In a way when we hear of a cyber attack, a big cyber attack that is in all the media headlines, it seems almost inevitable that shortly afterwards will come the news story it was perpetrated by a 15-year-old sitting in their bedroom.
And my lesson from this is it demonstrates how tackling the basics well can do a huge amount for our cyber security. There is research that shows that nine out of ten cyber attacks involve human failing, whether deliberate or more frequently, inadvertently.
So getting the simple processes right, that the Cyber Essentials scheme highlights, that is the easiest way to solve the cyber security challenge. It shows how firms can protect themselves against the most common online threats. It’s the equivalent to putting your takings in the safe and locking the door to the office.
I think that every organisation which relies on the Internet for business should have Cyber Essentials as a minimum.
In Government we’re leading the way by requiring suppliers who handle our sensitive data to hold a Cyber Essentials certificate to try to make it the norm. We encourage industry to do the same. Every company in your supply chain that adopts Cyber Essentials in turn increases your security.
And while many organisations large and small have adopted the scheme, there is still a long way to go before it is widely used across the economy. So I urge all organisations to look carefully at it and sign up.
But rest assured, we’re working from strong foundations. We already have a thriving cyber security industry here in the UK. This is the second point I want to make.
While cyber is a threat to almost all businesses it is also an opportunity for those who make their money from protecting others.
Latest figures show that the sector grew from £17.6 billion in 2014 to almost £22 billion last year. And our cyber security exports also grew, up to almost £2 billion, up a quarter since 2014. So there is an opportunity for the UK.
But in order to thrive it needs skilled individuals, and 86 per cent of IT managers report that there is currently a shortage. Again this is an area for partnership between business and the government. Research shows that 1.5 million cyber security specialists are needed globally, and thousands are needed here in the UK.
So we’ve already put measures in place at every level of education to improve and introduce the necessary skills - even from coding for those aged 8 and above in the curriculum, all the way up. And we continue to develop ambitious new plans, and in the forthcoming national cyber security strategy, which you mentioned, we will outline the UK’s mission to be the world’s most secure online economy in the space of skills and more broadly.
That brings me onto the third thing I want to talk about.
Which is we can only achieve all this in partnership with you.
On my first full day in this job I chaired the Cyber Growth Partnership, which is a joint initiative between industry and Government to promote cyber security. We discussed plans to develop two new Innovation Centres, where start-up firms can base themselves in their crucial early months, to get the best possible support and the best cyber advice. The aim is to draw together business, Government expertise and academia in order to have innovation centres that keep pushing the boundaries. The first is on track to open in Cheltenham around the turn of the year, and the second in London in 2017. They will bring together business, government and academics and help to build on our growing cyber sector.
I am committed to giving it and to giving you our full support, and everybody has a contribution to make, so that together we can - and we will - build a secure and successful digital economy.