"Both government and industry must work together to define, resource and implement cyber defences at both the national and organisational level to protect citizens, assets and economic well-being."
ED SAVAGE, EXPERT IN CYBER SECURITY, PA CONSULTING GROUPEd SavageThe Times9 September 2011
Countries around the world are seeing persistent, systematic and continuing pillaging of government and corporate IT systems for fraud, industrial espionage and competitive advantage.
Countering cyber attacks has risen rapidly up the agenda in the UK with the Government estimating that cyber crime costs Britain more than £26 billion a year. Both government and industry must work together to define, resource and implement cyber defences at both the national and organisational level to protect citizens, assets and economic well-being.
The obvious way to counter the rising threat would be to build virtual walls around sensitive systems and to put a minimum amount of sensitive data online. However, given the need to realise significant savings in government expenditure, the clear imperative is to put services online, from benefit payments to tax receipts, and to drive down the cost of IT through cloud-based computing, collaboration and home-working. The challenge, therefore, is how to balance efficiency with the need to protect systems from the cyber threat.
In response to this challenge the Government recently announced a £650 million, four-year national cyber security programme led by the Cabinet Office, through which Britain will overhaul its approach to cyber security and defence. In an environment where it is not always possible to share details of the nature and extent of cyber attacks, education and awareness will no doubt be part of the programme’s remit, with government and industry sharing information on cyber attacks and the means to protect against them. In addition, and in the context of the cyber-enabled insider threat, the Centre for the Protection of National Infrastructure is developing national guidance for the holistic management of employee risk.
Another aspect of cyber security that the programme will need to address is a shortage of "cyber-skills", particularly in the public sector. As former Home Secretary, Lord Reid, has suggested, a cyber resilience task force is needed to help the public sector train, recruit and retain key skills. This was reinforced by the director of GCHQ telling the Government’s Intelligence and Security committee that he needed "some real internet whizzes to do cyber" but that it was difficult to retain such individuals because of higher private sector salaries. Better support for existing staff, greater professionalisation and improved career opportunities are urgently needed. Without these measures, the market will continue to push salaries higher and the public sector will need to find the resources to secure the best people.
While a truly effective cyber security strategy will require some strategic investment, it is important to note that the nation’s cyber defences can be improved by the simplest of housekeeping measures. The hackers’ job is made easier by a failure to implement basic IT arrangements (such as system security patching), or by employees unwittingly loading malware into their computer during a visit to a social media site. Once basic protection is in place, the UK’s £650 million investment can be better spent and more closely focused on protecting key government and corporate assets from direct threats, and even creating competitive advantage for UK plc.
Ed Savage is a specialist in cyber security at PA Consulting Group.
To read the online version, please click here.