Recently there have been a spate of government initiatives around cyber security; the Home Office’s £4 million investment in cyber-security awareness, GCHQ’s cyber-incident response scheme, and the cyber-health check for all FTSE 350 companies by way of cyber audits. It is heartening to see the government’s increasing focus on developing measures to tackle the cyber-crime problem.
I’m intrigued though by the FTSE 350 cyber-audits initiative announced jointly by the GCHQ and MI5, following the KPMG study that 78 per cent of companies in the Forbes’ Global 2000 are leaking data online and so inadvertently allowing cyber criminals to perpetuate fraud. According to this UK cyber-audit scheme, heads of FTSE 350 companies will be required to fill a ‘form’ that will serve as a cyber-governance health check on their company.
A few questions come to mind; are the chairmen and women of FTSE companies the best people to complete the audit questionnaires? Logically, infosecurity professionals are better placed to provide such information as they are dealing with security issues on a day-today basis, they have knowledge of the exact security measures in place within their organisation and insight into areas where more investment is needed as they closely monitor the evolving threat landscape, and so are more likely to provide the relevant and accurate data.
Furthermore, are these audits optional or mandatory? Clearly, the implications for companies will be very different for either situation.
It is also unclear as to what the GCHQ and MI5 will do with the information revealed by these cyber-audits. In this age of state sponsored cyber-attacks and PRISM, there are great sensitivities surrounding governments’ objectives for accessing data.
My biggest reservation though is that this initiative does not address the core security issues that the KPMG report highlights. Will this initiative boost the FTSE 350 companies’ investment in cyber-security to undertake the necessary steps to minimise their online exposure?
Governance is good, but our security agencies need to articulate how this initiative will help tangibly improve the cyber-security of these organisations, the wider business community and the general public.
The recent UK Home Affairs Committee report on e-crime for 2013-2014 highlights that low-level e-crimes often go unreported or uninvestigated by law enforcement. We need broader programmes that help create general awareness of online crime and what the general public can do if they fall victim. All parties including government, security agencies and the private sector must cohesively work together if we are to start making a dent in tackling cyber-crime. Given the nature of the cyber-landscape, narrowly focusing on segments of our ecosphere isn’t going to cut the mustard.
John Colley, managing director, (ISC)2 EMEA