Most organisations acknowledge they are part of the critical national infrastructure (CNI) and believe a cyber attack could disrupt their country's mission-critical systems in the next two years, but are not well prepared for it, a study has revealed.
Despite an average of 69% of senior security leaders polled by the Ponemon Institute saying they expected such attacks, only 17% said their organisation had a collaborative strategy that included other organisations in their industry.
Fewer still, only 15%, said they had a collaborative strategy that included other organisations and the government, according to US and European cyber security readiness study commissioned by Hewlett-Packard.
"An overwhelming majority expect something serious to happen, but the same majority are not really doing enough about it," said Peter McAllister, head of HP Vistorm's cybersecurity practice.
Just over half said they had a go-it-alone strategy and 17% had no co-ordinated strategy at all.
"While 21% recommended a collaborative strategy that includes other organisations in the same industry, in practice, those exist only in the loosest form and tend to rely on personal relationships," said McAllister.
"What leaps out of the page, is a total lack of co-ordination across market sectors and within government on how the core government functions and the CNI go about defending themselves," he said.
According to McAllister, the big challenge facing the UK government is finding a way of bringing control that allows privatised companies that operate parts of the CNI to benefit from the cybersecurity skills within the defence and intelligence sectors.
"We are all looking to see if, in the half billion pounds that has been allocated from a budgetary point of view, there is going to be some sort of identification of CNI and some way for to connect to government to share knowledge about attacks and co-ordinate responses," he said.
In the National Security Strategy, cyber security has gone right up the agenda because government has taken a conscientious risk-based approach to identify the most likely threats against the UK, said McAllister.
"What we want, is to encourage that same risk-based approach in government organisations and private corporations," he said.
A risk-based approach will enable organisations to understand their risks better and consequently where to put their investment, said McAllister.
"It is surprising how few organisations are doing it. Most are not doing that basic thinking before investing," he said.
On the positive side, McAllister said the Ponemon study highlighted several things organisations that are succeeding in mitigating cyber risks have in common.
More than 75% are using security information management systems, they understood what it meant to be part of the CNI, they made genuine effort to educate people and operate security controls rather than have a tick-box approach to audits, and they had adopted early-on the concept of the role of a chief information security officer (CISO), who is not a generalist or a technologist.
The most effective CISOs, the study revealed. had an intelligence or law enforcement background and had been brought in from outside.
"This indicated that they were probably going to be more successful at expressing the consequences of the technology risk they were addressing to a non-technical board because they had a better domain understanding of risk rather than a technical understanding," said McAllister.
CISOs that were successful were also either a full board member or a direct report to listening chief operating officer, he said.
Overall, the Ponemon study shows there is serious work to be done on co-ordinating government response and particularly where that touches CNI, said McAllister.
"Lots of people doing good thinking about it and some good groundwork is being done in terms of maturity models and risk tools, but there is significant room for improvement," he said.