UK business and government dangerously out of tune with cyber threats, says Chatham House

Business and public sector organisations lack understanding of the nature and gravity of cyber threats and the UK government lacks vision and leadership in dealing with cyber attacks, according to a report by Chatham House.

Business and public sector organisations lack understanding of the nature and gravity of cyber threats and the UK government lacks vision and leadership in dealing with cyber attacks, according to a report by Chatham House.

Widespread confusion over the scale and nature of cyber criminality is undermining efforts to tackle the problem, the think-tank warned in the report.

Company bosses are criticised for delegating responsibility to IT specialists in a deliberate effort to keep a problem they may not understand "at arm's length".

The report, which is based on interviews with representatives of 100 of the UK's top businesses and banks, revealed that many staff believe cyber threats are already out of control.

"One financial institution reported that the volume and sophistication of threats are now outstripping the organisation's capacity to respond," the report said.

Geoff White, senior market underwriter TechMedia in Zurich's UK General Insurance business, said the increased threat of cyber crime and IP theft to UK companies brings a new sense of vulnerability to this sector which can have disastrous consequences for businesses.

"Companies understandably feel exposed, but it is vital that they are prepared for the unexpected and implement clear, effective strategies and frameworks to tackle any cyber incident which may occur.

"It's essential that both businesses and government work together to stay on top of these challenges to ensure UK technology companies are safe, and are able to grow in this fast-moving, unpredictable global technology market," he said.

Security awareness and responsibility lacking

Chatham House noted that while there seems to be a consensus that the problem is growing, many companies appear to be taking it less than seriously.

"A heightened perception of cybersecurity risk is being met with diminished resources and interest," the report said.

Liz Fitzsimons, senior associate at international law firm Eversheds, said more needs to be done to understand this global risk and deal with it appropriately.

"Organisations should consider suitable training to improve understanding - including at board level - regularly review security and update arrangements, and have a suitable security breach response team and procedure in place to deal with incidents," she said.

But the Chatham House report concluded that the UK government must play "an integral role in informing wider society" and raising levels of awareness.

The report said there is no coherent picture of who is targeting what and which systems and services are potentially vulnerable to cyber attack.

According to Frank Coggrave, general manager Emea at Guidance Software, the key recommendation in this Chatham House report is for the government to set up a single, accessible bank of cybersecurity information and advice.

"We have been calling for that for some time. The industry as a whole - customers and suppliers - has the responsibility to protect itself from cyber attacks, but it's not something organisations can do alone, as the threats are unremitting, evolving and dangerous," he said.

Pooling resources, information and intelligence is vital, but difficult to focus on when under personal attack, said Coggrave.

"Government is all about doing important things collectively that individuals can't do on their own, so let's see some actual government here, not just rhetoric," he said.

Protecting national infrastructure

The Chatham House report said the UK government is also failing to take a strong lead in protecting critical national infrastructure such as power and water systems from cyber attack and share information with organisations that might be targeted.

Around £130m of the £650m of additional funding to help tackle computer-based threats that the government announced last year has been allocated to critical infrastructure projects, but the Chatham House report questioned how that money will be used, considering that "the vast majority of critical infrastructure in the UK is privately owned".

With large parts of the UK's infrastructure run by private companies, there is an expectation that they would be alert to growing online threats, but the reality is often very different, according to Chatham House researchers, the BBC reports.

The Cabinet Office, which is in charge of the UK's cybersecurity strategy, has issued a statement saying that closer collaboration between the government and the private sector is "crucial to protecting our interests in cyberspace, including critical national infrastructure".

The Chatham House report comes ahead of the government's expected announcement of a revised cybersecurity plan.

Read more on IT risk management