The claims in the National Audit Office's (NAO) report are made in spite of recent action taken by the government to develop a robust cyber strategy – including GCHQ's formation of the UK's first academic research institute set up to arm the nation with the necessary tools in the growing struggle against cyber attacks.
The NAO claims that despite significant steps already being taken, a lack of skilled computer experts is holding the UK back from being able to achieve an effective defence against the new breed of advanced and targeted attacks. This perhaps comes as little surprise given the level of complacency that has long reigned within organisations when it comes to cyber security.
As a nation, the number of computer experts able to tackle the growing threat is dwarfed by the number of cyber criminals attempting to hack into corporate networks on a daily basis. However, while the UK's shortage of security experts is indeed a cause for concern, the woefully outdated security architecture relied upon by the majority of organisations is also to blame. Widespread trust placed in obsolete security tools and a poor awareness of the sophisticated tactics in use by today's attackers are resulting in all too many networks being left wide open.
The NAO's report also claimed that the UK suffered 44 million cyber attacks in 2011 – approximately 120,000 per day at an estimated cost to the country in excess of £27 billion. These alarming statistics highlight the full extent of the threat to the UK economy and echo last year's comments by MI5 chief Jonathan Evans regarding the “astonishing” extent of cyber attacks on UK industry.
With this is mind, the suggestion that science and technology should be better promoted in schools to boost computer expertise and our ability as a nation to cope with the evolving threat is to be welcomed. It is important that the number of specialists in cyber security grows in line with the evolving threat for the UK to stand the best chance of thwarting the onslaught of advanced and targeted attacks.
However, it must be acknowledged that while education has its role to play in bolstering security, organisations must rapidly readdress their approach to proactive security measures. With the stakes higher than ever, cyber security is no longer just the concern of enterprise IT teams, and is an issue that must be tackled at boardroom level.
UK businesses and government must be fully aware of, and alert to, the current threat level, as complacency in this environment really can spell disaster for an organisation. After all, the highly advanced capabilities of today's generation of hackers, coupled with the increased storage of intellectual property and other sensitive data, has generated a perfect cyber crime storm, which must be urgently tackled – right up to C-level executives.
To ensure that networks and data are suitably ‘locked down' and equipped to fight off known and unknown malware, sophisticated phishing attempts and advanced, targeted and relentless attacks, identifying the potential weak points in a network and crucial corporate assets is a vital first step, as is understanding the level of investment necessary to enable organisations to mitigate the mounting risks.
An increase in the promotion of science and technology in education, in order to develop the next generation of cyber security experts, is encouraging. However, all organisations, particularly those with intellectual property or critical national infrastructure to protect, should urgently readdress security and up the ante to avoid the potentially devastating consequences of suffering an attack and resulting breach.
To support our national cyber readiness, while waiting for the next generation of cyber experts to develop, organisations must recognise that constant monitoring and proactive threat mitigation are essential for robust protection. With so many attacks reported daily, the odds really are stacked against businesses and governments, so an urgent rethink of security should be top of the agenda across the board.
Paul Davis is vice president of Europe at FireEye
FireEye is exhibiting at Infosecurity Europe 2013, held on 23rd – 25th April 2013 at Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk