According to the coalition Government, too few company chief executives and chairmen take a direct interest in protecting their businesses from cyber threats.
On that basis, for the first time the ‘Government of the Day’ and intelligence agencies are directly targeting the most senior levels in the UK’s largest companies and providing them with advice on how to safeguard their most valuable assets: among them personal data, online services and intellectual property.
Earlier today, the Government launched its Cyber Security Guidance for Business at a Foreign Office-hosted event attended by FTSE 100 CEOs and chairmen, ministers from the Department for Business, Innovation and Skills (BIS), the Foreign Office, the Cabinet Office, the Home Office and senior figures from within the intelligence agencies.
Produced jointly by the CESG (the Information Security arm of GCHQ), the Department for Business, Innovation and Skills and the Centre for the Protection of National Infrastructure (CPNI), the new guidance will help the private sector minimise risks to company assets and purposefully builds on a key objective within the Government’s Cyber Security Strategy: to work hand-in-hand with industry and make the UK one of the most secure places in the world to do online business.
The guidance builds on comments made last November in a speech by foreign secretary William Hague at the London Conference for Cyberspace, at which he emphasised that cyberspace must be secure and reliable so that it’s trusted for online business, and that innovators are confident their discoveries will be appropriately protected.
Another theme was the importance of Government and industry taking a shared responsibility towards the prevention of cyber crime
Cyber Security Guidance for Business: the fine detail
Cyber Security Guidance for Business consists of three ‘products’ or documents.
The first of these is aimed squarely at senior executives. It offers some high level questions which the Government believes will assist and support them to determine their critical information assets, support them in their strategic level risk discussions and help them ensure that they have the right safeguards and cultures in place
The second product is an ‘Executive Companion‘ which discusses how cyber security is one of the biggest challenges that business and the wider UK economy face today. It offers guidance for business on how, together with Government, they can make the UK’s networks more resilient and protect key information assets against cyber threats.
This particular document focuses on key points around risk management and corporate governance, and includes some anonymous Case Studies based on real life scenarios.
Lastly, the third product supports the ‘Executive Companion’ and provides more detailed cyber security information and advice for ten critical areas (covering both technical and process/cultural areas).
Top 20 Critical Controls for Effective Cyber Defence
The Government states: “If implemented as a set this advice can substantially reduce the cyber risk by helping to prevent or deter the majority of types of attacks.”
For each of these ten areas, the Government has summarised the issue, outlined the potential risks and provided some practical measures and advice to reduce these risks.
Indeed, the material presented integrates the ‘Top 20 Critical Controls for Effective Cyber Defence’ as endorsed by the CPNI. These controls provide further detailed guidance.
Frank Coggrave, general manager EMEA at Guidance Software, commented: “The news that GCHQ will be working alongside the private sector to help combat cyber attacks is to be welcomed. The next step, however, is to ensure that these collaborations enable an efficient and swift response to the attacks that we face today.”
He continued: “The perpetrators of cyber attacks are reactive and fast. Therefore, any partnership that we create has to be just as dynamic in order to defend effectively. The proposed ‘Top 20 Critical Controls for Effective Cyber Defence’ may help to reinforce the importance of security processes, but just putting together a list of rules that are reviewed and updated every year isn’t going to help. Cyber criminals will always find ways around them. That being the case, the focus of this collaboration must be on forming a partnership that allows for swift reactions, information sharing and a reduced time between detection of an attack and the response.”
What do the politicians say?
Speaking about this move, business secretary Vince Cable commented: “Cyber security threats pose a real and significant risk to UK business by targeting valuable assets such as data and intellectual property. By properly protecting themselves against attacks companies are safeguarding their bottom line. Ensuring this happens should be the responsibility of any chief executive or chairman as part of an approach to good corporate governance which secures a business for the long-term.”
As the minister responsible for the Government Communications Headquarters (GCHQ), foreign secretary William Hague added: “The UK is committed to building a secure, resilient, open and trusted Internet. We are working with partners across the globe to ensure this vision becomes a reality.”
On the same day that Prime Minister David Cameron’s new-look Cabinet held its first meeting at 10 Downing Street, Hague continued: “A networked world brings many advantages, but cyberspace – and cybercrime – knows no borders. Businesses must be alert to the dangers. Drawing on GCHQ’s experience, and working with industry, the Government is committed to helping reduce vulnerability to attacks and ensuring that the UK is the safest place in the world to do business.”
Home Secretary Theresa May has also voiced her opinions on the matter.
“Cyber crime is a serious problem which affects businesses of all sizes and can have devastating consequences,” explained May. “That is why we have funded the expansion of the Police Central e-Crime Unit in the Metropolitan Police Service and SOCA’s Cyber Unit, and established three regional cyber specialist hubs to help combat the threat. We will build on this by introducing a dedicated Cyber Crime Unit within the new National Crime Agency.”
In a speech given to the International Institute for Strategic Studies back in October 2010, GCHQ director Iain Lobban discussed how “getting cyber right” enables the UK’s continuing economic prosperity. He also commented on the expertise that GCHQ can offer to help shape the UK’s response to the cyber security threat.