Digital technology is increasingly at the center of economic activity in the U.K. This is creating new opportunities for the technology sector and innovative companies. But it also creates fresh risks around the security and integrity of the digital infrastructure and sensitive business data. Surveys consistently show high levels of cyber-attacks and data breaches across all sectors of the economy, in common with other countries around the world. So, how is the U.K. doing in responding to the cyber threat in business?
TAKING CYBER SERIOUSLY
Businesses in the U.K. are taking cyber security seriously and investing in new capabilities to defend themselves and improve their ability to respond to incidents. Cyber security has clearly gone up the agenda of boards in the U.K. and is being discussed more regularly at a senior level. This progress is reflected in the U.K. government’s Cyber Governance Health Check survey of FTSE 350 firms, which reported significant increases in awareness, training and engagement at board level at the end of 2014.
ICAEW’s own Audit Insights: Cyber Security report, which captures the experience of the top audit firms in their engagement with businesses, also highlights the progress made in recent years. But it argues that, while businesses may be improving their cyber capabilities, so are the attackers. As a result, despite the progress, many businesses are still struggling to close the gap with more sophisticated adversaries.
LEADING THE AGENDA
The U.K. government has taken a proactive approach to improving cyber security capabilities across government and business, investing $1.35bn over five years in its cyber security strategy. A key aim is to ensure that the U.K. is a safe place to work and transact online.
Much of this investment has focused on strengthening critical national infrastructure and improving response capabilities. Another priority has been to grow the skills base, with investment in schools and universities to increase general cyber awareness, and increase the number of technical specialists.
There has also been a strong emphasis on supporting businesses to build individual cyber security capabilities. The government has adopted a variety of initiatives to encourage better practices including awareness raising and training.
But there has been no move to regulate around cyber risks. The distinct nature of cyber risks makes it diffi cult to develop a single regulatory solution for all businesses. The field also changes rapidly, meaning that regulation could very quickly fall behind current practices. Instead, the government has focused on the role of the market to provide incentives for adopting good security measures.
GETTING THE BASICS RIGHT
It is often said that businesses could prevent the majority of security breaches by getting basic security measures right. However, almost all businesses struggle to do this in practice. In large businesses with complex IT environments, just keeping anti-malware protection and software patches up-to-date is hugely time-consuming. Smaller businesses may lack the resources, time and knowledge to implement effective security measures. All businesses struggle with the human dimension of security, typically described as the weakest link.
But what are the elements of basic security? How do businesses judge whether they are doing the right things and investing the right amount in cyber security? While there are many information security standards, they are typically technical, very detailed and confusing for non-experts.
Therefore, a priority of the government’s cyber strategy has been the development of Cyber Essentials. This is a basic organizational standard aimed at preventing low-level, unsophisticated cyber-attacks. Following extensive consultation with businesses and the technology industry, it is based on the five most important technical controls, such as anti-malware protection, changing default passwords and implementing software patches.
Cyber Essentials is not the complete solution for many businesses, and larger organizations will likely continue to use more sophisticated standards, such as ISO 27001. However, it provides a baseline, especially for smaller businesses, and is a clear platform to drive improvements throughout the supply chain. For example, compliance with Cyber Essentials is now mandatory when bidding for certain U.K. government contracts. The government would like other supply chains to adopt a similar approach, so that compliance becomes simply part of doing business in future.
CHANGING THE SECURITY CULTURE
Traditionally, a business built its information security defenses around its boundaries. However, changes in technology and business models have made the organizational perimeter increasingly porous. Mobile devices, cloud computing, social media, outsourcing of services – all of these trends have led to large amounts of data being stored or accessed outside the boundaries of a business and its direct control.
This makes it more and more difficult for businesses to defend against attacks and prevent breaches. As a result, we see data breaches increasingly become just part of doing business in a digital economy.
This shift has a number of implications. Businesses need to focus more on detecting breaches and incident response, for example, and rely less on purely preventative measures. They need to focus their resources on their most critical data, and worry less about data that is not confidential or sensitive.
Businesses are also stronger working together in this context, as they can build up better intelligence about attackers. This contrasts with traditional approaches to security, which have been more focused on maintaining secrecy.
To encourage this culture change, the government has established the Cyber Information Sharing Partnership to enable businesses to share information about attacks with peers. This works on a fairly technical basis but can provide useful intelligence to participants about current threats. This is complemented by information sharing initiatives at industry level.
SMALL BUSINESS MATTERS
However, while larger businesses have made progress, smaller businesses are still struggling to engage on the topic and invest the required time and resources. This raises risks across entire supply chains, as large businesses rely on smaller businesses in many ways. Indeed, some of the most high-profile data breaches have resulted from poor security in smaller sub-contractors, which has enabled attackers to access the systems of larger businesses.
It is hoped that initiatives such as Cyber Essentials will drive changes in behavior. The move to cloud computing may help smaller businesses, as suppliers take a stronger role in protecting their data. ICAEW, along with other professional bodies, has also targeted the small business community for awareness raising and training activities.
But the evidence to date shows that there has been no change in the behavior of small businesses in this regard, despite all the investment and effort. When the new U.K. government defines its fresh cyber security strategy, it needs to rethink how to engage with smaller businesses to improve practices.
As part of the E.U., the U.K. will be subject to the impending directive on cyber security and the regulation on data protection. One significant change arising from these pieces of legislation will be a requirement to report certain types of data breaches to relevant authorities. Breach notification is currently not a requirement on businesses in the U.K. unlike in many parts of the U.S. While the details of the legislation are still being worked out, this will be a big change for businesses.
The advent of breach notification will also provide a new wealth of data about breaches, and it is hoped that this will support the development of a stronger cyber insurance market. The market has been constrained to date by the lack of data about breaches, making it difficult to price policies. More data should therefore enable insurance companies to improve their ability to calculate risks. Furthermore, Cyber Essentials provides a good baseline against which claims can be assessed.
As result, although insurance does not replace the need to implement good practices, it may play an increasingly important role in the cyber security landscape in the U.K. Indeed, the U.K. government has been actively working with the insurance industry to encourage this development.
Cyber security has become an ever more important part of doing business in a digital economy. It has gone up the agenda of U.K. businesses and the U.K. government has been at the forefront of building stronger cyber capabilities across all aspects of the economy. But there is still much more to do. Governments, businesses and the technology industry will have to continue to co-operate across all aspects of training, infrastructure and good practices to ensure that the U.K. remains a safe place to do business.