Lasting change in the private sector’s attitude to threats is key to achieving better cyber security, says APMG
GCHQ seeks to draw line under the UK organisations’ poor cyber strategies
In a speech delivered to CESG’s IA15 conference last week, Robert Hannigan, director of intelligence and GCHQ, declared that the international market for cyber security is flawed, as the provisions of cyber security measures do not meet the demand, assuming there is significant demand at all.
Usually reluctant to speak publicly, Hannigan’s warning to the UK’s public and private sectors comes at the same time as GCHQ recently disclosed climbing cyber crime statistics. The British intelligence agency now identifies 200 major cyber attacks every month, double last year’s figure.
According to Richard Pharro, CEO of APMG International, CIOs and CISOs should use Hannigan’s speech as a means of raising the importance of improved security strategies with the board as an important first step towards establishing a safe online culture across their organisation.
Richard Pharro, commented:
“To prevent these numbers creeping up, and reflecting on the balance sheet of large UK businesses, it’s essential that organisations take a proactive approach to securing their infrastructure. Hannigan recognises CIOs and CISOs in UK organisations simply aren’t keeping up with the pace of change, and so are increasingly overwhelmed by the threat of cyber attacks.”
“Although time and again the latest hack is dutifully followed by a flurry of public statements making claim to a renewed focus and tightening of internal security standards, most organisations have already proved there is far too much inertia in the industry for a large scale cyber attack to have a meaningful impact on changing behaviours. The carrot and stick assumption that companies have continually worked to improve their security is now inappropriate; security strategies cobbled together in response to the latest threat simply aren’t enough. Instead, to achieve coherent and sweeping change, business leaders must assume greater responsibility for the security of their data.”
In order to instigate this widespread change, Hannigan suggested the introduction of disclosure requirements for businesses along with greater liability and tougher regulation of standards.
“Any large-scale attack could threaten jobs and detract from the credibility of big business, however, there are wider implications to organisations not directly embroiled in the hack. BT’s Chief Executive believes the TalkTalk hack, for instance, could have caused a lasting loss of trust in the telecoms industry as a whole. While companies have traditionally been thought to provide adequate security, ‘adequate’ security in some boardrooms is defined by the actions of cyber attackers, rather than the proactive security strategy put in place across the organisation.”
However, one of Hannigan’s key messages was that it is not the government’s job to prevent risk among organisations.
“Companies invite instability into their infrastructure through an incomplete, reactive approach to the protection of their systems. By their nature, the methods hackers use to approach a company’s infrastructure continually change, so organisations are required to mitigate the threat of new attacks as though these attack vectors have already proven to have breached defences elsewhere.
“The onus is on the private sector to account directly for imperfections in security strategies. With cyber assessment tools, such CDCAT (Cyber Defence Capability Assessment Tool), appetite for risk and the degree of control an organisation has over their infrastructure can be identified with a view to improving preparedness in the case of an attack. Only with this information is it possible for CISOs to raise the importance of cyber security with the Board,” he concluded.