U.K. government needs to invest more in country's education to head off future threats to infrastructure and the economy, says watchdog group study.
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
The level of cybersecurity in the U.K. is so shallow it presents clear risk to national security -- and could take as long as 20 years to fix. That's the warning from a new study by the U.K. national spending watchdog The National Audit Office (NAO).
Threats to cybersecurity are both "persistent" and "continually evolving," says the study, with the annual cost of cyber crime to the U.K. currently estimated to be between £27 billion and £42 billion ($18 billion and $28 billion). As a result, "Business, government and the public must therefore be constantly alert to the level of risk if they are to succeed in detecting and resisting the threat of cyber attack." One report quoted in the study said the U.K. suffered 44 million cyber attacks in 2011 alone.
The report praised the government's decision two years ago to commit an extra £650 million ($1.01 billion) to beef up cyber defenses, with the money going mainly to the military and security agencies. However, that might only be the start of a longer journey to fuller security. The extra funding is scheduled to run out in 2015. To put the amount spent on security into context, the study says the U.K.'s Internet economy is over £120 billion ($187 billion).
The money is part of an initiative called the U.K.'s Cyber Security Strategy, which has detailed the risks of the U.K.'s growing reliance on cyberspace and lists a group as diverse as criminals, terrorists, foreign intelligence services, foreign militaries and politically motivated "hacktivists" as potential enemies who might choose to attack the nation via the Web or other electronic means.
So far the money has been put to effective use, says the study, citing the creation of the U.K. equivalent to the FBI, the Serious Organized Crime Agency (SOCA), which has clawed back more than 2.3 million items of compromised financial account holder card payment details in the U.K. and internationally since 2011. This prevented potential economic loss of over £500 million ($778 million). In the last 12 months alone the British public has come forward to report over 46,000 reports of cyber crime, amounting to £292 million ($455 million) in attempted fraud, it said.
The challenge, say the report's authors, is the next stage -- of where the country needs to commit resources going forward. It identifies six action items that need funding: encourage the computer industry to protect and promote itself and U.K. companies; address the nation's current and future ICT and cybersecurity skills gap; increase awareness so that people are not the weakest link; tackle cyber crime and enforce the law; get government to be more agile and joined-up; and demonstrate value for money.
But a bigger issue that could hobble the entire program is lack of homegrown IT security nous. The number of IT and cybersecurity professionals in the U.K. has not increased in line with the growth of the Internet, the report states, quoting experts that it could take "up to 20 years to address the skills gap." Interestingly, that doesn't mean just more Brit white hat hackers; a number of skills need to be amplified, it believes. "The skills the U.K. needs to design and implement cybersecurity policy are not only technical, there is also a need for psychologists; law enforcers; corporate strategists and risk managers. Other professionals such as lawyers and accountants also need to understand cybersecurity in order to assess, manage and mitigate the business risk of cyber threats," says the study.
It also might mean some education at the consumer level. The study says up to 21% of U.K. Internet users do not think they have sufficient skills to protect their personal data, although the country's semi-secret communications defense body, GCHQ, has estimated that 80% of cyber attacks could be prevented through simple computer and network "hygiene," such as using strong passwords. Unfortunately, in 2012 the top three passwords in the U.K. were "password," "123456" and "12345678."
Security isn't necessarily the first thing people think of when they consider enterprise directories. But directories can be used in a number of ways to tighten and extend your organization's security. A Guide To Security And Enterprise Directories report, we examine enterprise directories—through the lens of Microsoft Active Directory -- and their potential as a solution for a wide array of security initiatives. (Free registration required.)
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.