At the end of 2010, the UK Government raised the national threat level for cyber security risk to Tier One (the same tier as the terrorism threat) and announced it was allocating £650 million (around US $1 billion) to governmental cyber security measures and resilience developments.
A recent report by Chatham House in association with Detica indicates that many private organizations are well behind the government in how they evaluate and defend against these type of threats. The report highlights a lack of understanding among board-level directors and senior managers at some of the largest of the UK's private sector 'critical infrastructure' organizations of the risks and consequences of cyber attacks. Researchers interviewed senior executives (rather than IT / security professionals), who, according to the report, "expressed a wish to become more intelligent customers, feeling that at present they speak a different language from their ICT professionals and thus are unable to consider cyber security issues in depth."
Given several high profile virus and hacking attacks in the news this year, and the now near-total reliance on complex IT systems and integrated global communications on the part of most companies, this is worrying. Particularly when you consider the estimated costs of cyber attacks on UK private and public sector businesses: The Parliamentary Office of Science and Technology estimates that the most common type of cyber attacks are costing the UK roughly £27 billion (just over US$ 40 billion) a year, with cyber theft of intellectual property alone accounting for £9.2 billion (around US$ 14 billion) of this (Detica / Cabinet Office report).
It will come as no surprise to the IT / security professionals amongst us that the Chatham House report concludes that companies must view cyber security as an issue that extends beyond the realm of an IT department. In fact, many of the steps recommended in the report are simply IT security 'best practices'. For example, companies are advised to conduct more thorough risk assessments which consider their own potential cyber risks as well as those of organizations on which the company is dependant and to implement training and other projects to raise awareness at all levels of the organization. The aim is to integrate privacy and cyber security considerations into the design and risk assessment of each business process and system.
What will it take to achieve an understanding at board level, not just of the threats out there but their potential real impact on the P&L, in order to move cyber-security up the board's agenda?
One of the aims of the Chatham House report is to try and drive change from the top down, by emphasising the need for board leadership and participation. The report also comments on the need for government and industry to work more closely together to share information and standardize best practices.
If, as expected, the revised European data protection laws move to a system based on accountability, then this should force a higher level of board focus. An "accountability" focused regime will require organisations to demonstrate that they have in place policies, processes and technical and organisational security measures to protect personal data, and will require privacy impact assessments as part of change management which will consider the risks and consequences of cyber threats on the organisation. Can IT/ security professionals use the proposed change in law to try and increase the focus on cyber security despite the new rules being several years away from agreement? If not, then without a governmental initiative or a significant increase in cyber security attacks, it may be hard to change management's awareness of the potential impact of these threats and move them up the agenda, particularly as the impact on reputation can be hard to evaluate.