Sergey Nivens - Fotolia

UK government not doing enough to prevent cyber attacks, say CTOs

Some 60% of CTOs, 15% of CFOs and 23% of CEOs feel the government is not doing a good job educating businesses and defending them from cyber attacks

Three-fifths of UK chief technology officers (CTOs) believe the government is performing poorly in educating and protecting firms from cyber attacks, a survey of more than 200 C-level executives has revealed.

However, CFOs and CEOs are more positive, according to the research on the economic consequences of cyber attacks by security firm Veracode and the Centre of Economics and Business Research (Cebr).

The survey showed that only 15% of CFOs and 23% of CEOs felt the government’s performance was poor, while 23% of CFOs and 20% of CEOs rated the government’s performance as “good”.

With cyber attacks predicted to cause much more damage in the future, according to the Royal United Service Institute (RUSI), the Veracode/Cebr survey revealed that businesses are not waiting for the government to rescue them. 

More than half (57%) of CEOs hold themselves accountable for major cyber security incidents, while 88% of businesses have increased their annual IT spending following a cyber security breach. However, 70% of CTOs also believe their current cyber security policies stifle innovation, which potentially indicates a need for more streamlined and automated risk assessments.

Responding to the survey findings, a Cabinet Office spokesperson said the government published its Cyber Security Strategy in 2011 and has invested £860m to 2016 on the National Cyber Security Programme (NCSP) to ensure that Britain is one of the safest places to do business online.

“Achieving this relies on a real and meaningful partnership between government, industry and academia. We have had some notable achievements,” the spokesperson said in a statement.

“Through the NCSP we have invested in transforming our understanding of cyber threats and our ability to defend UK interests. We now also have a National Cyber Crime Unit within the National Crime Agency to tackle cyber crime and bring cyber criminals to account. We created the national Computer Emergency Response Team – Cert-UK – to respond to major cyber incidents."

The statement added that Cyber Security Information Sharing Partnership (CISP), which is based within Cert-UK, provides a "safe, trusted space for businesses and government to exchange information and develop responses in real time".

Read more about proposed EU data protection laws

"CISP started with fewer than 80 partner organisations – today it has more than 1,000 members and reports on more than 200,000 abused IP addresses daily," the statement read.

“We have worked with business to establish the award-winning Cyber Essentials scheme to raise awareness of five basic measures to keep companies safe. This scheme is now mandatory for certain types of government procurement, and 88% of FTSE 350 companies now have cyber security on their risk registers. 

"The 2015 Cyber security breaches survey states that nearly half (49%) of all the organisations surveyed have achieved a Cyber Essentials badge to protect themselves from common internet threats, or plan to get one in the next year."

The Cabinet Office statement also pointed to the government's 10 steps to cyber security guidance, which looks at how to safeguard a company's most valuable assets, such as personal data, online services and intellectual property (IP). 

“Clearly government cannot do this alone. But we are in far better place today than we were before the programme," the statement continued. "Partnership with the private sector remains vital. People are as likely to cause a breach as viruses and other types of malicious software. Together, and by heeding the available advice, business can better protect our assets, customers and their peace of mind,” the statement said.

Cyber attacks a threat to UK economy

The Veracode/Cebr survey also revealed that the top concerns of C-level executives are breach costs, reputation and brand damage, as well as loss of revenue due to downtime.

According to the survey report, cyber attacks pose a serious financial threat to the UK economy. Based on the survey data and the UK Annual Business Survey, Cebr calculated that cyber crime and other attacks are costing UK businesses around £34bn a year. This figure is made up of £18bn in lost revenue and £16bn spend on increased IT spending as a result of breaches. 

The issue is widespread, with 90% of large organisations and 74% of small organisations reporting a breach in the past year, according to the government’s 2015 information security breaches survey.

That survey also revealed that the average cost of the worst breaches at large UK organisations is between £1.4m and £3.14m, while the cost of breaches for small businesses is between £75,000 and £311,000.

Surprisingly, respondents listed theft of corporate Intellectual property as only their sixth priority, which is in stark contrast to US perceptions, where board members ranked theft of IP – leading to loss of competitive advantage – among their top three cyber security worries. 

“The UK economy is under siege from cyber attackers and the UK government should look to other successful private/public partnerships – such as Swiss banking regulations, German data privacy laws and US breach disclosure laws – as a model of how to improve the situation for us all,” said Veracode director of enterprise security program management Adrian Beck.

“For example, disclosure laws would require firms to report breaches in a timely fashion, thereby protecting consumers from identity theft and encouraging companies to implement best practices when dealing with cyber security,” he added.

The current UK Data Protection Act does not require companies to notify of data breaches, but the proposed EU General Data Protection Regulation does. And while the yet-to-be finalised regulation is not expected to be enforced before 2017 or even 2018, PwC Legal partner Stewart Room has warned that UK authorities are already applying its principles.

“Much of the objective of the reform has already been achieved because regulators are already regulating as if the new legal framework were already in place,” he told Computer Weekly.

While data breach notification is not yet law, Room said the Information Commissioner’s Office considers it to be either a mitigating or aggravating factor when considering monetary penalties in data breach cases, which means the UK regulator is acting as if breach disclosure is already law.

Read more on Hackers and cybercrime prevention