A director of the United Kingom’s National Cybersecurity Centre warned that a “category one” cyber attack—the most severe variety of attack possible—is likely to happen within the next few years, the Guardian reported.

The siren for the potentially devastating attack was sounded by Ian Levy, the technical director of cyber-focused branch of the UK’s Government Communications Headquarters (GCHQ) while speaking this week at an event hosted by cybersecurity firm Symantec.

“Sometime in the next few years we’re going to have our first category one cyber-incident,” Levy said, noting that such an event would require a national or international governmental response in order to deal with the fallout and response to the attack.

Such an attack has not yet been seen. The National Cybersecurity Centre has covered 500 incidents since being founded last year—470 qualified as category three incidents and 30 fell under the label of category two.

Levy brought a mix of good and bad news to the stage, noting that is still possible for governments and organizations to prepare for a category one attack before it happens—while also warning that doing so would require those entities to completely change the way they think about cybersecurity.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

The security head said that too often, government agencies and businesses get caught up on what products they should use or how to respond to an attack that already happened instead of focusing on managing the potential risk posed by an attack.

He advised more focus on understanding exactly what kind of data the organizations hold, the value that data has and how much damage could be done if that information were to be lost or stolen.

He also said it’s important to teach and work with employees to make sure they are informed and prepared to prevent and respond to attacks.

“Cybersecurity professionals have spent the last 25 years saying people are the weakest link,” he said. “That’s stupid. They cannot possibly be the weakest link—they are the people that create the value at these organizations.”

“What that tells me is that the systems we’ve built, as technical systems, are not built for people. Techies build systems for techies, they don’t build technical systems for normal people,” Levy explained.

That lack of understanding was evident in the recent breach of credit reporting firm Equifax that resulted in the personal information of as many as 143 million American consumers and hundreds of thousands of consumers in the UK and Canada being stolen. That data has a significant amount of value to hackers who can sell that information.

Despite the Equifax breach, and despite other widespread attacks that have happened in recent years, many organizations have failed to take steps to protect their information. Levy warned that continuing down that path would result in the inevitably of a category one attack, as experiencing one may be the only way to make organizations finally prepare for future attacks.

Levy laid out a situation in which such an attack happens and said after an investigation into it, “what will really come out is that it was entirely preventable…It will turn out that the organization that has been breached didn’t really understand what data they had, what value it had or the impact it could have outside that organization.