Cyber security: striking a difficult balance

Inside the enterprise: If defence of the realm is the first duty of government, then when it comes to cyber threats, the UK should be ahead of the game.

Over the last few years, the UK government and its agencies have invested significantly in stepping up cybersecurity protection, even devoting a significant share of a declining military budget to cyber measures.

Business advice, too, has been at the centre of this more hands-on approach, with a range of measures drafted to help businesses improve their own cybersecurity posture. This is one area, at least, where we really are "all in it together".

By the Government's own estimates, 93 per cent of large companies, and 87 per cent of SMEs, have suffered a cyber breach over the last year with a cost ranging from 450,000 to 850,000 for breaches at large enterprises.

Aside from direct involvement in countering the cyber threat, such as the 650m committed to cyber protection in 2010's Strategic Defence and Security Review, the focus has been on improving collaboration between Government, and its security agencies, and business.

This has, for example, led to a more overt role for GCHQ, including an extension of the Cheltenham-led CESG CCP certification scheme to private sector candidates. Previously, this certification was limited to civil servants, the military, and of course, the spooks.

This is generally beneficial: smaller firms, in particular, should benefit from free and generally high-quality advice. But the government needs to strike a balance between supporting business, and dictating to them how to protect themselves. This balance is especially difficult in areas of critical national infrastructure (CNI), where companies deliver services that everyone in the country depends on.

The latest move by the UK Government is its policy paper, Cyber security skills: business perspectives and government's next steps, published earlier this month.

This latest paper includes a proposed, new cyber-security curriculum for 11 to 14 year olds, and more support around cyber security for the university sector. A large part of the Government's overall strategy, according to ministers, is to improve the UK's "cross- cutting knowledge, skills and capability" the country needs to improve cyber security protection.

This, the Government admits, is a challenge. Barriers range from a low take-up of STEM (science, engineering, technology and maths) subjects in school and a lack of awareness of cybersecurity careers, to a need to improve broader understanding of cyber risks. This includes continuing to raise awareness among company boards.

Again, addressing these issues is a laudable aim and the UK has made real progress in improving both awareness and the level of security skills, and the overall standard of defence over the last few years.

But there is a risk that well-meaning initiatives turn into overly prescriptive measures.

There is a plethora of security certifications in the profession already, and some industry figures question whether more are needed, especially certifications that lean heavily on public sector practice. And new laws coming up, such as the EU's Data Protection Regulation, could go further in telling companies how to protect their systems.

Government action so far has been useful, and should be welcomed. But maybe now is the time for the IT industry to show what it is doing to put its cyber-security house in order.

Stephen Pritchard is contributing editor at IT Pro.