In-depth

Cyber security: striking a difficult balance

Governments alone cannot solve the IT security challenge. The IT industry, and business community need to take action too.

Inside the enterprise: If defence of the realm is the first duty of government, then when it comes to cyber threats, the UK should be ahead of the game.

Over the last few years, the UK government and its agencies have invested significantly in stepping up cybersecurity protection, even devoting a significant share of a declining military budget to cyber measures.

Maybe now is the time for the IT industry to show what it is doing to put its cyber-security house in order.

Business advice, too, has been at the centre of this more hands-on approach, with a range of measures drafted to help businesses improve their own cybersecurity posture. This is one area, at least, where we really are "all in it together".

By the Government's own estimates, 93 per cent of large companies, and 87 per cent of SMEs, have suffered a cyber breach over the last year with a cost ranging from 450,000 to 850,000 for breaches at large enterprises.

Aside from direct involvement in countering the cyber threat, such as the 650m committed to cyber protection in 2010's Strategic Defence and Security Review, the focus has been on improving collaboration between Government, and its security agencies, and business.

This has, for example, led to a more overt role for GCHQ, including an extension of the Cheltenham-led CESG CCP certification scheme to private sector candidates. Previously, this certification was limited to civil servants, the military, and of course, the spooks.

This is generally beneficial: smaller firms, in particular, should benefit from free and generally high-quality advice. But the government needs to strike a balance between supporting business, and dictating to them how to protect themselves. This balance is especially difficult in areas of critical national infrastructure (CNI), where companies deliver services that everyone in the country depends on.

The latest move by the UK Government is its policy paper, Cyber security skills: business perspectives and government's next steps, published earlier this month.

This latest paper includes a proposed, new cyber-security curriculum for 11 to 14 year olds, and more support around cyber security for the university sector. A large part of the Government's overall strategy, according to ministers, is to improve the UK's "cross- cutting knowledge, skills and capability" the country needs to improve cyber security protection.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

This, the Government admits, is a challenge. Barriers range from a low take-up of STEM (science, engineering, technology and maths) subjects in school and a lack of awareness of cybersecurity careers, to a need to improve broader understanding of cyber risks. This includes continuing to raise awareness among company boards.

Again, addressing these issues is a laudable aim and the UK has made real progress in improving both awareness and the level of security skills, and the overall standard of defence over the last few years.

But there is a risk that well-meaning initiatives turn into overly prescriptive measures.

There is a plethora of security certifications in the profession already, and some industry figures question whether more are needed, especially certifications that lean heavily on public sector practice. And new laws coming up, such as the EU's Data Protection Regulation, could go further in telling companies how to protect their systems.

Government action so far has been useful, and should be welcomed. But maybe now is the time for the IT industry to show what it is doing to put its cyber-security house in order.

Stephen Pritchard is contributing editor at IT Pro.

Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/business-strategy/careers-training/33050/uk-universities-receive-110m-to-fund-ai-masters-and-phd
Careers & training

UK universities recieve £110m to fund AI Masters and PhDs

21 Feb 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/cloud/amazon-web-services-aws/354223/what-to-expect-from-aws-reinvent-2019
Amazon Web Services (AWS)

What to expect from AWS Re:Invent 2019

29 Nov 2019
Visit/business/business-strategy/354252/huawei-takes-the-us-trade-sanctions-into-its-own-hands
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019