Tackling the challenges of cyber security
Countering cyber attacks has risen rapidly up the agenda for both government and businesses, with the cost of cyber attacks estimated at approximately £26 billion in the UK and $1 trillion in the US. Cyber attacks are no doubt becoming more frequent and sophisticated – yet at the same time, it is increasingly considered that up to 96 per cent of attacks could be stopped if businesses were to get the basics right.
Having recently announced a £650 million, four-year national cyber security programme, the UK government has a leading role to play in protecting both the public and private sectors.
To encourage businesses to take a more active approach to fighting cyber attacks, governments must take action on three fronts: promote a wider understanding of the business risk posed by cyber crime; acknowledge and address the cultural aspects of the issue; and involve academia and businesses in developing a collaborative response.
Explain the business risk posed by cyber crime
Our recent interviews with key UK companies reveal that many fail to protect their businesses in cyberspace because they do not understand the extent of the risk to which their businesses are exposed. As a result, they are unable to make the business case for action.
The large majority of a company’s value is now recognised to be ‘intangible’, and could be attacked in cyberspace. Information assets (such as intellectual property, business strategy and market insight) and physical assets (such as the IT systems that underpin a business) are all vulnerable. Theft or disablement of any of these can seriously disrupt, weaken and even destroy a business, as recent high-profile attacks have shown.
Specifying and quantifying the risk for individual businesses, rather than talking in terms of the overall impact of cyber crime on the national economy, is an effective way of making the threat more immediate for CEOs. Likewise, talking about the issues in non-technical language will encourage businesses to feel more confident in acknowledging, discussing and addressing the risks they face.
Acknowledge the cultural aspects of the cyber threat
Across the world, governments take a range of views on how close the link between the state and business should be, what constitutes ‘fair play’, and the extent to which ideas can be owned. These differences have a profound impact on the culture of cyberspace as it develops. Ensuring that domestic attitudes to issues such as national interest, fair competition and intellectual property rights are influential in shaping cyber culture is vital. A balance between control and freedom in cyberspace is needed.
In addition, encouraging a strong security culture within government and within businesses is critical – employers must let employees know that they expect them to play an active role in protecting corporate systems and information. This security culture needs to be implemented carefully to enable rather than stifle business.
Governments must also understand that many of those carrying out hacking attacks are young, talented and alienated from wider society. Their skills should be recognised and nurtured as part of a national response to cyber crime.
Develop a collaborative response
There are three key areas where governments must encourage collaboration in order to develop an effective response to the cyber threat:
- Much of the critical national infrastructure is in private hands; this means the involvement of the private sector is essential for any national cyber security strategy to be effective. The government must find a way to share intelligence about cyber attacks safely, and encourage the private sector to feel confident about revealing security concerns and problems to government.
- Universities have a key role to play in identifying and developing the talented people needed to conceive and build effective defences against the cyber threat. Governments must strengthen links with these institutions to address the current skills shortage.
- Cyber security is an international problem, yet it has taken ten years for the first few countries to sign up to the Budapest Convention. New international agreements are needed to better get to grips with what is a significant and expensive problem.