Last word: Action stations

Opinion by Mark Brown

The government has done its bit for cyber security - now it's up to businesses to take action, and quickly.

The government has done its bit for cyber security – now it's up to businesses to take action, and quickly.

You hear a lot about what governments need to do in the cyber security space to protect economies, critical infrastructure or even their own members' Twitter accounts. But isn't this equally a space for businesses to take action in?

In 2010, the UK government launched the National Security Strategy, which rated cyber attacks as a ‘Tier One' threat and, despite a tight fiscal situation, set aside £650 million over four years to develop a response. Two years later came the Cyber Security Guidance for Business, which, although focusing only on the FTSE 100, served as a wake-up call to all companies on the need to elevate cyber security on the boardroom agenda, following a string of high-profile breaches.

Then, in December 2012, the Cyber Security Strategy was updated. For the first time, the private and public sector would work together to tackle cyber security risks.  This was not a flawless plan, but it showed that the government is once again looking to engage the business community.

Then, in January, came Davos and the cyber resilience principles that the UK signed up to. This reaffirmed the UK's position as a leader in tackling cyber security threats, and was another call for business leaders to take collective action.

Business leaders at the World Economic Forum spoke for the first time of the need to change the traditional board-level view of cyber security. Beyond the IT function, the current risk landscape requires decisions taken at a strategic level, with buy-in from top executives. Further collaboration and transparency not just within an organisation, but also between companies, their shareholders, outsourced vendors and business partners were on the table.

Breaking the wall and not keeping silent over the looming threat was now seen as the way forward. Just one month later, Brussels seized the initiative and proposed a unified approach to information sharing that cuts across borders, national infrastructure and capability, as well as across organisations in different countries.

The European Commission extended the obligation to report significant cyber incidents beyond telecoms companies to organisations in the energy, transport, health and e-government sectors. However, it would seem that businesses still don't understand that the cost of keeping silent and doing nothing to counter cyber threats is far greater than the cost of having a strategic security framework in place.

That brings us to the present and what many see as the last chance for businesses to act on cyber security and embed it in their standard corporate behaviour before they are made to do so under threat of legislation. I am talking about the Department for Business, Innovation & Skills, GCHQ and MI5 initiative to invite FTSE 350 firms to take part in an audit of their cyber governance.

With the cyber threat affecting potentially every aspect of an organisation – from its staff and assets to its finances and reputation – this might be the last opportunity for the business community to seize the initiative, understand the cyber risks and put pragmatic and balanced systems in place to counter them. This will require an honest assessment of their current capabilities, and collaboration to tackle the common threat, rather than continued adoption of a traditional, isolated approach to cyber security.

So there you have it. Enough proof that, no matter how flawlessly or not, governments have been acting on both a national and international level, and that it now falls on businesses to act before it's too late. 

As for those of you who ponder whether I have ignored the big issue of skills shortages in our profession –and the opinion that tackling the cyber threat in the long term will require a re-evaluation of the knowledge gap in our industry, rather than government intervention – rest assured, I haven't. But that is a whole different story for another column.

Mark Brown, director – risk advisory, Ernst & Young


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events