All the talk of collaboration has led to some questioning whether the UK has the talent, skills and most importantly people who will be tasked with protecting our national assets.
To quote my Dad: “If a job is worth doing, it is worth doing properly”, and to prove that point, CESG this week announced
that those responsible for responding to and cleaning up some of the UK’s most serious cyber attacks will be five private firms – BAE Systems Detica, Context, Mandiant, MWR and Dell SecureWorks – while it will work with the Centre for the Protection of National Infrastructure (CPNI), in collaboration with the Council of Registered Ethical Security Testers (CREST) in order to achieve the aims.
It is probably no real surprise that private firms have been tasked with this; after all it is a combination of overseas expertise, and small and larger firms among those five who will be tackling the hackers. The question to ask may be on finance and who pays who, but with £25,000 on offer from government departments to entrants into the cyber defence league, this could be a good starting step.
Elsewhere this week, the European security agency ENISA published a report encouraging what it called the “digital fire brigades” of the computer emergency readiness teams (CERTs) to be better at data exchange “to make them interoperable”.
The UK CERT of course is not actually established
yet, but is it the duty to protect and reflect the security threats to a nation, or work with private companies and public services to alert on major threats? Brian Honan, head of the Irish CERT said
that “many CERTs just provide alerting services”, and with some CERTs around the world effectively run by volunteers with other jobs and responsibilities, how much can they be expected to deliver?
ENISA seemed think that CERTs face challenges when it comes to the “smooth exchange and sharing of security information” and it encouraged effective exchange of information around incidents to enable response. My concern is that more work is put upon CERTs who are otherwise engaged; this may see those involved either take a back seat or not participate in this crucial exercise. How much can you expect from those who are not fully committed?
That said are businesses even concerned? A report published
this week by Sophos and Ponemon Institute found that of 2,000 respondents, 58 per cent said that their management do not see cyber attacks as a significant risk to their business, despite it costing SMBs over £1 million over the past 12 months.
What were the reasons? It found that there are three main challenges preventing the adoption of a strong security posture: failure to prioritise security (44 per cent); insufficient budget (42 per cent); and a lack of in-house expertise (33 per cent). So not information sharing then, or aid by a CERT, but just not enough time or talent.
This week I attended a conference specifically for information security professionals in the financial services sector and the subjects among the talks were subjects on ho
w stress testing exercises work, how compliance is the driver and probably most amusingly, how a room full of capitalists would be a target for hacktivists and “tricksters”. Good luck to those protecting them.