Current Filter: Security>>>>>News>

   

The international market for cyber security is flawed, as the provisions of cyber security measures do not meet the demand - assuming there is significant demand at all. That was the message delivered recently by Robert Hannigan, director of intelligence and GCHQ at the IA15 conference of CESG - the Information Security arm of GCHQ. Usually reluctant to speak publicly, Hannigan's warning to the UK's public and private sectors comes at the same time as GCHQ recently disclosed climbing cybercrime statistics. The British intelligence agency now identifies 200 major cyber attacks every month, double last year's figure.

According to Richard Pharro, CEO of APMG International, CIOs and CISOs should use Hannigan's speech as a means of raising the importance of improved security strategies with the board as an important first step towards establishing a safe online culture across their organisation. Pharro comments: "To prevent these numbers creeping up, and reflecting on the balance sheet of large UK businesses, it's essential that organisations take a proactive approach to securing their infrastructure. Hannigan recognises CIOs and CISOs in UK organisations simply aren't keeping up with the pace of change, and so are increasingly overwhelmed by the threat of cyber attacks.

"Although time and again the latest hack is dutifully followed by a flurry of public statements making claim to a renewed focus and tightening of internal security standards, most organisations have already proved there is far too much inertia in the industry for a large-scale cyber attack to have a meaningful impact on changing behaviours.

"The carrot-and-stick assumption that companies have continually worked to improve their security is now inappropriate; security strategies cobbled together in response to the latest threat simply aren't enough. Instead, to achieve coherent and sweeping change, business leaders must assume greater responsibility for the security of their data."

In order to instigate this widespread change, Hannigan suggests the introduction of disclosure requirements for businesses, along with greater liability and tougher regulation of standards, adds Pharro. "Any large-scale attack could threaten jobs and detract from the credibility of big business. However, there are wider implications to organisations not directly embroiled in the hack. BT's chief executive believes the TalkTalk hack, for instance, could have caused a lasting loss of trust in the telecoms industry as a whole. While companies have traditionally been thought to provide adequate security, 'adequate' security in some boardrooms is defined by the actions of cyber attackers, rather than the proactive security strategy put in place across the organisation."

However, one of Hannigan's key messages was that it is not the government's job to prevent risk among organisations. Pharro continues: "Companies invite instability into their infrastructure through an incomplete, reactive approach to the protection of their systems. By their nature, the methods hackers use to approach a company's infrastructure continually change, so organisations are required to mitigate the threat of new attacks as though these attack vectors have already proven to have breached defences elsewhere."