As the season changes we naturally look towards the onset of winter and for those of us lucky enough to have open fireplaces, the opportunity for cosy nights relaxing in front of a log fire. We could even be forgiven for contemplating one of the seven deadly sins, sloth!
Notwithstanding the many recent vibrant cyber security campaigns, many people I’ve asked about the stance of their business on cyber security admit to a degree of sloth or, in other words, laziness or apathy. This isn’t good enough and attitudes and behaviours need to change. Raised awareness doesn’t seem to have hit the mark. Businesses have either been unable to or not interested in changing the ways they behave towards cyber security.
A colleague recently highlighted the attitude of a senior executive from a key aerospace manufacturer who believes that since their designs are open and high technology they are therefore difficult to copy. As such, even if their systems are compromised, the threat of IP theft is of little importance.
But what about the theft of sensitive price point information, bid documents, employee names, addresses and contact details, pay scales, supply chain details, asset and shipment details - the list is almost endless.
It’s data that could lose a competition, damage a supply chain, empower socially engineered Trojan attacks, shut down networks at a critical point or simply help competitors become better prepared for the next market opportunity. This brought home the point that the message doesn’t seem to have hit mark.
The Detica report on ‘The Cost of Cyber Crime’ published in 2011 and sponsored by the Office of Cyber Security and Information Assurance in the Cabinet Office states in its forward:
You may or may not believe this number but that’s not the point - it’s big, very big and we cannot afford to be complacent.
BIS, the Cabinet Office in the guise of OCSIA, CPNI and CESG need to be applauded for publishing a range of cyber security guidance for business which provides valuable insight into measures to combat the growing cyber security threat that is becoming increasingly more sophisticated as criminals realise that lucrative pickings are easy to realise. But awareness of the threat and guidance does not necessarily translate into a change of behaviour.
Recently, I was privileged to attend the opening of De Montfort University’s Cyber Security Centre in Leicester. A key take away from the day was the realisation that ‘it’s not often that humanity invents a new space to live in’ and we need to ensure that we understand this new space we all inhabit. We need to understand it’s characteristics, the opportunities for asymmetric effect (a relatively small effort can have a globally significant impact), the need for new behaviours and for new defence mechanisms.
In defining a cyber defence strategy businesses needs to start from an assumption that they are already compromised and develop new behaviours and cyber defence methods.
So how can we hope to change business behaviours?
Step 1: Let’s start by supporting and accelerating action already underway. Progress on the establishment of the eight Academic Centres of Excellence nominated by GCHQ is a great start and the most recent opened at the University of Bristol. Let’s get behind these centres and get involved.
Step 2: In order to change behaviour we need business to step up to the mark and it’s worth noting that similar issues in the US prompted the establishment of the Cyber Security Research Alliance. UK FTSE 100 companies need to get involved in driving a change in behaviour in their supply chains, not just focus on raising awareness - albeit a praiseworthy activity.
Step 3: UK industry needs to raise its own game working in partnership with Government and academia. Maybe the Cabinet Office, in the same way it established a high level industry group in the vertical telecommunication market (TISAC), should sponsor a UK Cyber Security Centre possibly under the auspices of Project Auburn to drive cyber security intelligence sharing and behaviour change.
Finally, and on a less serious note, a quote from Q in the latest Bond Movie that struck me when I was writing this blog: ‘I can do more damage on my laptop in my pyjamas than you can do in a year in the field’ - oh how the world has changed in the last 50 years of James Bond!