This page contains a Flash digital edition of a book.
30 defence & cyber security roundtable


Information security was already becoming a reputational issue in the US and Japan, he noted.


Companies won’t be operating without the basic cyber security minimum, if the media is watchful, he suggested. “The Press could actually help us the most.”


Continued from previous page... Get it on the agenda! Terry Pudwell


highlighted Cyber Security as once of the highest challenges for national security highlighting the major perpetrators as organised crime, disaffected individuals (and/ or employees), rogue organisations (which could include state- sponsored activity) and unscrupulous commercial enterprises (activity such as IP theft). Cyber attacks were generally aimed to be offensive or to steal information for gain.


Hope: “Someone with a mental construct that represents an intent to cause a detrimental event to occur.”


Can hacks help beat the hackers?


Pudwell: “It’s interesting being at an event hosted by Pitmans and The Business Magazine, because such organisations can help in this greater awareness and understanding. Security software vendors can talk with clients about protecting assets till they are blue in the face, but we have strong vested interests.” American professional services firms not in the cyber security space were increasingly involved in identifying and valuing critical information assets, he noted. Such independent advice may encourage boards to spend on cyber security.


“The biggest impact might be made by our friends in the media. As soon as they get onto a subject that is interesting and exciting, which this is beginning to be, it becomes front-page news. Sooner or later it will be reputational damage that becomes a driver. Are you going to do business with someone you have just read the worst about in the daily paper?”


www.businessmag.co.uk


Eryl Smith said businesses needed to be helped to help themselves. “We should not frighten people. We shouldn’t go overboard about the concerns. It’s not something that’s going to be resolved overnight, but there are things that can be done now, simply and cheaply, to reduce the risks. 80% of potential cyber attacks can be prevented by basic cyber proctection measures. Part of it, is what is government’s role in signalling intent? And what is the opportunity and responsibility of business to pick up that mantle and move forward?”


are doing it. Why should that be different from information security? At least being on the agenda is a prompt to start thinking about making things better.”


Is cyber security in the ‘too hard’ pile?


David Murray noted that SMEs often didn’t have the resources to tackle the scope of cyber threats.


Pudwell: “Some of our biggest companies are world leaders – for example, in aerospace, pharmaceuticals, banking – and do implement extremely good cyber security. Some of that technology could be implemented very easily and cheaply in the majority of businesses. We should follow Pareto’s 80:20 law: we can deal with a mass of the risk with a small focused effort.”


Williams: “SMEs are often more concerned about the operational impact of using security technologies within their businesses. Today, there is greater awareness of the risks and the technology available to help overcome them, but SMEs don’t feel they can deploy them in an efficient cost-effective way. So, they retrench and settle into inertia.”


Jason Hope


Piper said it was matter of getting cyber security onto the national agenda.


Sandy McKenzie: “What we are experiencing is very much a technology shock, which is now becoming a more important long-term agenda item.” He agreed that there were massive gaps in understanding and this was a global problem because of companies’ inter-connected partnerships and international trading.


“We have to come up with affordable yet capable security systems that will outlive all of us sitting around this table, but if people don’t understand how to use them, what’s the use in having them?


Mike Williams: “It is key that we get this on the agenda, particularly in the SME environment, because just assessing the risk and its potential is the starting point for a better understanding of today’s overall business risk environment.


“Health & Safety now appears on probably every board agenda, because you need to show that you


Eryl Smith: “Currently, debate, discussion and understanding around cyber is still relatively immature from the business perspective. It has been highlighted publicly, but too many people in industry are still trying to understand what it all means. It is very difficult to put a value on what the cost is to a business. So, how do you make a robust business case?”


Hope said that in recent research, KPMG’s European head of technology, Tudor Aw, said: “It is concerning that so many business still treat data security as nothing more than a hygiene exercise when it should be elevated to a more strategic concern.”


Jonathan Durrant highlighted that the risk and cost to businesses may not arise simply through technological failings. A company’s greatest assets, its people, may ironically also be its greatest liabilities in the context of cyber. Managing the risk involves making sure that staff understand the risks too and act accordingly. The immaturity in the business community about cyber threats highlighted by Smith was itself a concern. “If we don’t fully understand the importance at board level, then how can we expect our staff to either?”


Eryl Smith queried where SMEs


could go to get cyber security help, guidance and best practice advice. The Department for Business, Innovation and Skills was still developing its support, he understood and “it will be a while before they start to promote that widely and generically. It must be difficult currently for an SME to get authoritative advice without turning to individual commercial companies offering their goods and services.”


Rustam Roy suggested a mandatory compliance requirement would help create a market of commoditised advisory services, as had happened in other accreditation schemes. “Right now SMEs don’t know who to go to.”


Is the compliance landscape changing?


“I think it will,” said Eryl Smith. Getting engagement at senior leadership level was a major issue, not least because there were “so many governance issues that a board has to consider.” He highlighted how health and safety was now firmly on board agendas, but had taken years to get there. “People are saying: ‘It’s not affecting us, we’ll wait until there is a clear reason for doing it’.”


James said the mention of compliance often caused people “to switch off or do the bare minimum”. But if you start to talk about loss of reputation, trust, brand, adverse PR, investors perceptions and effects on an organisation’s ability to secure funding or exit a business, such costs and the risks become easier to justify.”


Eryl Smith noted that in the defence sector, there had been three national strategies focused on cyber threats, “yet all without a clear implementation plan to take us forward. People are still trying to work out the real priorities, what standards need to be put in place".


Should there be specific mandatory standards for sensitive sectors, like the MOD, or a suitable standard across all sectors? “Some very simple measures would dramatically


Adam Piper THE BUSINESS MAGAZINE – THAMES VALLEY – APRIL 2012


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52