Out-Law News 2 min. read
16 Sep 2011, 10:09 am
A report by researchers at international and current affairs think-tank Chatham House said that many UK businesses operated with an "unexpectedly high level of risk" to online security and that senior managers were not aware of the "nature" of problems that faced them.
"While the question of cyber security appears to be ascending in boardroom consciousness, many senior managers still seem largely uninformed about the nature of cyber threats to their businesses and – just as significantly – do not know where to turn for high-quality information on threats and responses," the Chatham House report (50-page / 1.57MB PDF) said.
"Many of the organisations surveyed in the course of this project have developed an attitude to cyber security that is fundamentally contradictory. In most cases, they declared themselves to be aware of cyber security threats. Yet these same organisations were willing, for a variety of resource and other reasons, to accept an unexpectedly high level of risk in this area," the report said.
Senior managers need to be "sufficiently confident to ask the right questions from those tasked with providing security within their organisation," it said.
Businesses that decided to manage "cyber risk ... at arm's length" are dealing with the problem with "diminished resources and interest," it said.
Public and private sector organisations do not appear to have established a "coherent picture" over what constitutes vulnerabilities in online security and the "likely severity of the consequences," the researchers said.
"There is, in short, no agreement on the nature and gravity of the problem that is either so compelling or so widely accepted as to catalyse a society-wide response to the challenges of cyber security, embracing the public and private sectors," the report said.
This year a number of prominent global public and private organisations, including the UK's Serious Organised Crime Agency, the FBI, Sony and Citigroup have been subject to cyber attacks by hackers that have in some cases resulted in the loss of personal data.
Chatham House said the Government "cannot provide all the answers and cannot guarantee national cyber security in all respects and for all stakeholders". Instead it called on businesses involved in the UK's "critical national infrastructure (CNI)" should take more responsibility and be more aware of threats facing their own companies.
"Senior management should, for example, create incentives for departments and individual employees to recognize and address cyber dependencies and vulnerabilities as they arise," the report said.
"However, this will only be achieved to the extent that board members are themselves more aware of the opportunities and threats presented by cyberspace," it said.
The Government can help raise awareness of cyber security threats and risks, but other organisations should look at "hidden" vulnerabilities in their own business and help develop "comprehensive internal strategies and risk awareness levels as well as updated and dynamic technologies and management processes" to help deal with the problem, the researchers said.
Research and investment in cyber security is currently "under-resourced" despite its "essential" need, the report said.
Companies should include cyber security as a "fundamental component" of their risk strategies to "increase overall resilience" against threats, it said.
The report also said that it was "integral" that staff are training in cyber security measures and called on the Government to talk about cyber security in a language private-sector management can understand.
"Cyber terminology should be clear and the language proportionate to the threat. It should also encourage a clear distinction to be made between IT mishaps and genuine cyber attacks," the report said.
The researchers also recommended that organisations build a "cyber security culture" to help it become "responsive to the rapid pace of change in technology and innovation".
