UK business trailing government in cyber security

The government has identified cyber attacks as one of the top national security threats and allocated £650m for UK cyber defences in the next four years, but is that level of awareness and investment matched by UK business?

The UK government has identified cyber attacks as one of the top national security threats and allocated £650m for UK cyber defences in the next four years, but is that level of awareness and investment matched by UK business?

The answer is both yes and no. Some organisations understand the threat and are investing in the right technology, people and processes to mitigate that risk, particularly in the financial services sector, but many are not.

"Everyone has opened the front door to information about themselves, their customers and partners, but most companies are unaware of the threat," says Prescott Winter, chief technology officer at security firm ArcSight and former CIO and CTO of the US National Security Agency.

Many organisations in the US, UK and elsewhere in the world admit that they don't know what they don't know, he says, because they are spending too much time fixing things instead of keeping up with the latest threats and attack methods.

Lack of investment

Another important factor, says Winter, is a lack of willingness by businesses to invest in new technologies and processes, particularly if they have not been serious hit by a cyber attack.

"That is why sharing information about real-world attacks and their impact on the businesses involved could be an effective way of helping organisations understand that the threat is real and the importance of improving their defences," says Winter.

Businesses tend to ignore warnings about the cyber threat because they do not see how it applies to them, says Steve Cummings, special adviser at Deloitte information and technology risk.

As a former director of the UK Centre for the Protection of National Infrastructure (CPNI), Cummings says it is more helpful and meaningful to look at what kinds of resources can be downed by cyber attack and then look at what how the loss of those resources would affect the business.

This usually helps get the message across, he says, and highlights the need to identify the most valuable processes and data assets within organisations as a first important step to setting up a risk model.

A good example of how information leakage can affect a business, says Winter, is a technology component organisation that gets the full financial benefit of a new product for only three months before competitors copy its design.

"Imagine what the impact on the business would be if competitors were able to go to market in less than three months by using stolen data," he says.

Risk model

The challenge, says Winter, is that attackers need find only one way in, but defenders must cover them all. A risk model is important, he says, because it helps set priorities and ensures the most important assets and processes are protected first.

"A defender has to be able to see and defend everywhere, but this cannot be done without gathering information about the network to find out if anything is happening that is contrary to policy," he says.

To find out the unknown threats and mitigate them, Winter says businesses need to adopt an integrated threat and risk management strategy.

Once businesses have identified their most valuable information assets and set up policies and risk management models, they can tune their systems to monitor and correlate incidents to identify potential threats and take automatic defensive action.

An important part of the risk analysis is identifying high-threat users, says Winter.

According to Cummings, there is a lot of evidence to suggest that organisations should be concerned about the people they employ.

Almost one-fifth of finance sector organisations surveyed by Deloitte in 2010 reported at least one internal security breach, and only 42% said they were confident in preventing such breaches.

Insider attacks are rarer than external attacks, says Cummings, but can be much more damaging, and should be of particular concern in private organisations that form part of critical national infrastructures.

Government departments have typically learned how to cope with these challenges as their IT systems are under constant attack, says Winter.

While many in the security industry have suggested that ensuring the UK has enough people with the right skills should be a priority for allocating funds designated to cyber defence, national and international information-sharing frameworks appear to be another crucial element.

"Information provides advantage in time. That gap is our strategic advantage," says Winter. "But we are losing the information advantage by a thousand cuts, one intrusion at a time."

National interests do not stop at the boundaries of government networks, he says, but extend to sectors such as education and healthcare, and naturally the organisations that form part of the critical national infrastructure.

In this sense, all these networks qualify for government support in building defences against cyber threats, says Winter.

Read more on IT risk management