One of the key stories in cyber security from this week has been around GCHQ advising businesses on how to protect against cyber threats.
In a rather surprising move, the private sector will be educated on how to thwart cyber attacks by the Government's intelligence unit and according to media reports, ministers and officials from the agency will tell companies to create a more security-conscious culture. Titled 'Cyber Security for Business', delegates will hear examples of how companies have lost intellectual property and millions of pounds through cyber attacks.
The Independent reported that a conclusion by the Commons Intelligence and Security Committee in its last report was that the UK's defences remained inadequate, despite a £650m national cyber security programme.
A survey by Check Point of 320 UK IT professionals found that a third (33 per cent) were concerned on stopping external cyber attacks, while 26 per cent said that the main challenge was stopping data losses by employees. It also found that only 12 per cent were completely confident of there being zero infections on their networks.
Alan Calder. chief executive of IT Governance, said that he felt that this was a recognition by the government that they understand that cyber threats are real. He said: "Protecting information assets is key to the long-term competitiveness of UK organisations, but great progress needs to be made. For example, compliance with the ISO27001 information security standard should be the cornerstone of any organisation's cyber security response. If you're responsible for a business but aren't aware of this standard, you need to find out about it – fast.”
Mark Brown, director of information security at Ernst & Young, said that the launch was a 'welcome move' and should serve as a wake-up call to UK plcs on the need to elevate cyber security on the boardroom agenda.
"Although this is an appropriate short term solution, the longer term cure for this problem surely involves re-evaluating the skills and knowledge gap in industry rather than government intervention,” he said.
In fact, the majority of responses which came into my inbox were welcoming the move. Frank Coggrave, general manager EMEA at Guidance Software said that the news that GCHQ will be working alongside the private sector should be welcomed.
“The proposed "Top 20 Critical Controls for Effective Cyber Defence" may help to reinforce the importance of security processes, however putting together a list of rules that get reviewed and updated every year isn't going to help. Cyber criminals will always find ways around them. Therefore the focus of this collaboration must be on forming a partnership that allows for swift reactions, information sharing and a reduced time between detection of an attack and response,” he said.
Likewise, Orlando Scott-Cowley from Mimecast, said that it was great to see the Government working to raise awareness and help combat this threat.
He said: “Being ‘security-conscious' is the job of all companies, their management and their staff. Security should become a state of mind and not something your staff take for granted. Sadly, there is no 100 per cent effective technical-defence against cyber-attack, and very often the most vulnerable part of the business is the human component. Ensuring you and your staff are aware, cautious and conscious of the possible dangers is key. The message has to be that remaining secure is everybody's responsibility, not just the security or IT team.”
A survey in May by BAE Systems Detica suggested nearly nine out of 10 UK businesses were very or fairly confident about their defences.
Dave Garfield, head of cyber security at BAE Systems Detica also welcomed the programme,saying that is vital that businesses recognise the threat posed by cyber crime and take greater action to protect their intellectual property and business sensitive data.
So overall businesses think that Government intervention is a good thing, after all it requires a leader to take the baton that others will follow. Among the challenges will be to ensure that they talk sense and do not blast hot air at businesses, who will be all too familiar with business advice that guides on nothing.
Also, the instructions need to be credible, as if the guidance lack practical guidance, then the Government may be met with blank faces. Rob Cotton, CEO of NCC Group said that it was great for leaders to espouse good theory, but he commented that there is no mention of mandatory requirements or legislation and ultimately, no real action.
He said: “Yes, cyber security is a board issue as much as an IT issue. But the government can't just give advice – it needs to give practical help. We need training for employees to reduce the social engineering risk, grants for businesses in need to bolster their security, and mandatory transparency to reduce the stigma of suffering a breach. This conference will too easily end up being more hot air."
The addition of GCHQ will add a large amount of credibility to the proceedings, but there is a fine line between advice and babble, and the Government may find this project falling over if it strays towards the latter. However you have to wonder how capable GCHQ are of taking the time to instruct and train British businesses, when a recent report claimed that the unit was losing staff to private industry, so maybe the expertise is there already?