Now is the time for action on cyber

Andrew Cooke | 24 Nov 2015 | Comments

The Government has this week announced increased funding to enhance UK cyber security and a mandatory cyber health check for FTSE 350 firms. While the Government’s position on defending against such threats is encouraging, what more needs to be done to ensure our ongoing cyber security?

Since Talk Talk became the UK’s most high profile cyber security breach a little over a month ago public comment has focussed on how a large technology company could have such poor security. That a simple attack on their website resulted in the loss of customer account data was clearly a huge embarrassment to the company. The fact that the perpetrators were under sixteen only added to the public relations disaster. 

However, the real consequences of the breach are probably far more limited. Will Talk Talk survive the media onslaught? The chances are that they will. What will happen to the thousands of customers whose records were lost? Probably very little and once the media frenzy has passed, sporadic crimes resulting from the lost records will likely be swept under the carpet. 

Ministerial announcements often cause a similar media frenzy in an effort to demonstrate that “something is being done.” Last week saw announcements from both George Osbourne, speaking at GCHQ, and later Ed Vaizey, Minister for the Digital Economy, as to how the Government is going to support the fight against cybercrime. Osbourne’s announcement focussed on the “additional” funding that the Government is providing, whereas Vaizey’s was about imposing a mandatory cyber health check for FTSE 350 firms

Ministerial pronouncements rarely come with any great details and these are no different. They are, however, important steps forward in demonstrating that the Government does take cyber security seriously and is intent on protecting UK citizens both from terrorist attacks on their person and the national infrastructure. It is also key that Government is ensuring that the private sector takes their privacy seriously and protects customers from financial crime arising from companies not protecting their records appropriately. 

All this optimism though has to be tempered with a serious dose of reality. Much of the focus of GCHQ’s IA15 conference earlier this month focussed on the cyber security threat to our critical national infrastructure. The biggest risk to such infrastructure is the cyber security threat to the embedded industrial and process control systems in the plant and equipment that generates power, delivers water and controls transportation and communications systems. 

We have yet to hear whether the health check will cover those process control systems. However, the one thing that we do know is that many, if not most, of the companies providing those services in the UK are either privately owned or not in the ownership of UK companies and will not be covered by the proposed cyber health check. That includes all of the companies building new nuclear power stations. 

Few people favour more and more regulation. This week’s announcements are a great start from the Government in making sure that UK citizens and our critical national infrastructure are better protected from cyber-attack. However, much more is needed before we can all sleep safely in the knowledge that no one is going to steal our bank details from poorly protected retail companies and that the infrastructure that runs our lives is safe and secure from disruption.