The UK was hit by over 40 million cyber attacks in 2011 averaging nearly 120,000 attacks per day. CBR rounds up expert opinions on the findings.
Ross Brewer, International markets managing director and vice president at LogRhythm
While the report paints a pretty bleak future for the nation, it should in fact be welcomed as evidence that the government is finally catching up to the true risk of online attacks. It's also encouraging to see that the government is continuing in its line of investing in the next generation of IT specialists, following last year's announcement that it would be plugging £8 million into the development of security skills at universities to help battle against cybercrime.
Reactive IT defences are undeniably outdated, and as Amyas Morse rightly stated today, organisations both public and private must be constantly aware of the cyber threat if the nation is to have any hope at protecting itself against attacks. As our world becomes increasingly connected and as data volumes grow at unprecedented rates, the potential for intellectual property or other critical information to get compromised in the chaos, or exposed to attacks, grows exponentially. However, being 'too proactive' - such as in the form of pre-emptive strikes, as have been previously recommended by other government bodies - could incite disturbing consequences such as the execution of even more sophisticated state-sponsored attacks on the UK's critical infrastructure.
Rather than launching pre-emptive cyber attacks, or relying solely on perimeter IT defences, we must start to introduce mechanisms that give context to data and facilitate a deeper understanding of all network activity, as it happens. In doing so, we must turn our mindset towards proactive, continuous monitoring of IT networks to ensure that even the smallest intrusion or anomaly can be detected before it becomes a bigger problem for all - after all, you can only defend against that which you can see. Hopefully this report will help enterprises and public entities acknowledge the level of constant awareness that is required to protect the data that they are entrusted with.
Bill Walker, Technical Director at QA
The results highlight real cyber security risks to UK businesses. These risks are simple to address with a combination of the right policies, procedures and training in place. With cybercrime on the rise, companies need to understand their own security vulnerabilities and put policies and procedures in place to address them. The survey results can also be viewed in the broader context of the need to ensure a prepared and well-trained security team which can protect the corporate network should a breach occur.
Amyas Morse, head of National Audit Office
The threat to cyber security is persistent and continually evolving. Business, government and the public must constantly be alert to the level of risk if they are to succeed in detecting and resisting the threat of cyber attack.
It is good that the Government has articulated what success would look like at the end of the programme. It is crucial, in addition, that progress towards that point is in some form capable of being measured and value for money assessed.
Paul Davis, director of Europe at security frim, FireEye
It is a great step forward to propose greater promotion of science and technology in schools to develop the next generation of cyber security experts, but what happens in the meantime? Organisations, particularly those with vulnerable intellectual property or critical national infrastructure to defend must urgently up the ante on security to avoid the potentially devastating consequences of attack. Constant monitoring and proactive threat mitigation are essential for bulletproof protection. With so many attacks reported daily, the odds really are stacked against organisations - and it's time to fight fire with fire.
Thurstan Johnston, sales engineer at security firm, Faronics
This report rightly points out just how complex it has become to thwart cyber crime in the UK. There is no question that a shortage of skilled professionals is extremely detrimental to our cyber defence effort and it is something the government seriously needs to address if it wishes to defend itself from today's sophisticated attacks.
However, there is not just a skills gap to consider, but also a huge awareness gap that needs to be filled. Many organisations still believe that they are sufficiently protected with just a good security package, which not only indicates blazing ignorance, but also a lazy approach to combating cyber crime that could have expensive consequences. Threat mitigation has become an holistic endeavour, with skills, education and awareness being the essential elements.
The lack of awareness within organisations is frightening, especially when considering just how much damage attacks can inflict. Organisations have had it drilled into them that anti-virus, firewalls and other perimeter security tools are adequate, however it is now the skills and awareness gap that needs to be focused on. If the government can begin educating today's younger generation on both these deficiencies the UK will be in a much stronger position when faced with tomorrow's cyber attacks.
Ross Parsell, Cyber security expert at Thales UK
Out of the six key challenges the NAO identified in its 'Cyber Security Strategy: landscape review', I'd have to say addressing the cyber security skills gap should be top of that list. To be at the forefront of cyber security, both private and public sector organisations need to hire and maintain qualified cyber employees. However, the need for cyber security experts in the UK far exceeds the pool of qualified personnel. To tempt talented people into a career in cyber security, the government needs to get them while they're young. Last month's announcement that the government is to make Computer Science a core subject being taught in British schools is a step in the right direction. The challenge now is to ensure that the dots are joined up between policies like this at national level and the curriculum being delivered at our schools, colleges and universities.
Guy Bunker, SVP of products at Clearswift
While the speed and complexity of cyber-risks continues to grow rapidly, the people and the skills needed to combat them are lagging behind - and the truth is that this is not something we can change overnight. We have seen the government put money into cyber-education, with changes in the national curriculum and for GCSEs; it has also put money into further education centres of excellence. But we now need to ensure that this is a field that individuals want to go in to - and therein lies a challenge.
While information security is 'cool' for those of us that are in it (hey, we're not going to say otherwise are we?), just how cool is it compared to other internet based businesses and careers? As a graduate, would you prefer to work for Apple, Google, Facebook, or a security company? Security might be a more demanding intellectual challenge (trying to out think cyber-criminals requires all sorts of creativity), but would your friends be envious of you? Probably not. So there needs, perhaps, to be more publicity for those who do 'save the earth' from the latest virus, or those who thwart internet-based industrial espionage. And there may, too, be a need for or maybe greater rewards: at a time when student fees and loans are at an all-time high, maybe there should be additional financial incentives to moving into the field. It may take 20 years to fill the skills gap, but do we have that long? We need to look at ways to accelerate the solution
Jarno Limnell, Director of Cyber Security for Stonesoft
The UK NAO report is a breath of fresh air, especially in light of last week's misguided proposal by the European Union which suggested that cyber threats can be solved by creating more statutes, directives and restrictions.
Correctly, the NOA doesn't just recommend throwing money at the problem. The right approach should be based on a strategic and technical understanding of the risk. This is the only way that the appropriate levels of defensive and offensive cyber security measures can be implemented and the relevant expertise acquired or nurtured. This leads to both cost efficiencies and better national security defences against cyber attacks.
Mark James, Technical Director for ESET
Cybercrime is often much more accessible to organisations than physical crime and we absolutely need to improve our fight against it. We need to start at the grass roots, and businesses and individuals have to be more aware that any data - however unimportant it may seem - is valuable to someone. To increase this awareness the Government and leading IT enterprises have a responsibility to be more involved in sharing their knowledge and educating others. But this is a complex problem - not only does it require education, but a change in the laws when it comes to punishing those involved."
Paul Everitt, chief executive of ADS, trade organisation for the aerospace, defence, security and space industries
Today's NAO report reveals good progress has been made with the delivery of the Government's Cyber Security Strategy. However, with cyber-crime an intangible but very real risk, there is more work to be done to protect British business. The report shows greater resource and a greater number of skilled workers will be needed to continue the UK's fight against cyber-crime in the future and suggests more needs to be done to encourage young people to consider a career in a sector which delivers great value to both UK government and business. ADS represents British business with high technology and advanced manufacturing capabilities across several key UK sectors and we know that ultimately the threat of IPR theft, reputation destruction and supply chain breach from cyber-crime could jeopardise long term revenue streams, economic growth and the UK's GDP recovery.