This page contains a Flash digital edition of a book.
32 defence & cyber security roundtable Are you ready, if it happens? Continued from previous page...


Piper mentioned incident preparedness, crisis management and business continuity. “How ready are businesses if a cyber incident occurs? Can they handle the impacts of the breach, from the practical to PR issues? If it happens, who deals with it, and how?”


Boards need to have their cyber plans in place, and to have resilience tested them, he added.


Peddie: “Cyber policy and strategy needs to be combined with an implementation plan but it also needs to be combined with a disaster recovery programme.”


Eryl Smith


Eryl Smith: “We have to accept that we will never get a perfect world, but there’s a lot that can be done very simply and effectively to raise our levels of capability and protection.”


. . . or virtually leave your valuables behind


James mentioned ‘cloud-lockers’ – for short-term virtual data storage. “Recent client security testing of cloud-lockers discovered that previous users had not cleared out all their data from the locker.” This highlights the need for additional audit rights in relation to security and to carry out adequate due diligence before engaging a virtual provider.


Roy: “In cyber terms the boundaries are often theoretical, so you can’t just concentrate on what you are doing. Systems can be interlinked, data-sharing happens, so it’s not just internal or external threats. You have to consider security as a holistic thing.”


Data-sharing was not only a concern, but an essential weapon against cyber crime, said James. Hackers share their information, but it is important that companies do too to improve their security. “No-one likes washing their dirty linen in public, but how do we incentivise people to do that and share their experience and knowledge?”


Pudwell said sharing within sectors was happening at top corporate levels – he highlighted major banks – but agreed that wider sharing of collective business knowledge would greatly benefit cyber security.


McKenzie: “The US are years ahead of us in cyber technologies, but when it comes down to international sharing, government laws do restrict them.”


www.businessmag.co.uk Sandy McKenzie


Hope: “A system breach or attempted infiltration will trigger multiple, apparently unrelated, indicators across and organisation’s security systems. Those feeds need to be combined and correlated to provide a confident alert of a successful attack.


“Only then can response technologies be mobilised to isolate and contain the attack to a local area so that the rest of the network can function without interruption. The problem, once identified, can be remedied quickly and simply by first-line staff or automated if


Pudwell mentioned the cyber attack on RSA Security last year. The breach led to the IT security vendor overhauling the manufacturing and distribution of its SecurID tokens, resulting in the lengthy process of re-issuing tokens to clients, costing millions of dollars.


“They worked very hard to recover from that and they are still in business. Their handling of the soft side, the PR and communications was important. They admitted the breach fairly early and informed people well about how they were dealing with it. Of course, they were big enough to throw millions of dollars at the problem further down the scale that’s not so possible, and a breach could quite easily be the end of an organisation.”


preferred. It’s important that all actions – human or automated – are undertaken in a forensically sound manner, retaining an audit trail throughout in order that a comprehensive impact assessment can be made and used thereafter to support internal HR investigations or litigation.”


Should the Government take the lead?


Durrant suggested that given the risks of not being unable to contain cyber threats which may initially affect only some users, the government may in fact need to take the lead in getting private companies to share their cyber security knowledge for the wider benefit of the wider national or even pan-national security regime.


Eryl Smith indicated that pilot studies were underway aimed at improving information sharing between government agencies and business and between businesses so as to better understand the threat and share best practice. "There are obstacles to be overcome, including commercial and legal issues but it is to be hoped that this will pave the way to increased levels of information sharing and preparedness.”


Another parallel programme on information-sharing is being run by UK technology body Intellect and ADS (Aerospace, Defence, Space trade organisation) under the ‘For Industry, By Industry’ banner, said Smith. This was aimed at encouraging industry to undertake sharing from a bottom-up level.


“I anticipate that over the next six months, the Government will have to signal what leadership it is going to give, what it’s going to require, or mandate, while accepting that there is a timescale of three to four years just to get to ‘good’. There is government recognition that you can’t simply wave a magic wand and everything will be hunky-dory.”


McKenzie thought that, like the media, the Government is a tool that can drive and create awareness but “ultimately if you want people who understand long-term open systems you have to look to industry to drive the architecture, thinking and strategy. After all, it will be building systems that outlive the politicians, who do not have the skillsets and understanding required.”


Things were different in the US where the Government, industries and the private sector operate much


closer together than the UK, the Roundtable agreed. “However, don’t automatically assume that what happens in the US is a panacea for the way we should develop policy and strategy in the UK,” warned Eryl Smith.


Pudwell noted that the UK Coalition Government was making progress in its closer involvement with industry, aiming to develop a true ‘UK plc’. “ They are saying: ‘Tell us what we need, how do we raise our game?’ because they do want a home- grown cyber security industry.”


Operational risk or industrial opportunity?


Eryl Smith: “Much as this debate is about the risks of cyber activity, this is also a major economic opportunity for our sector to develop new products and services for export.”


Pudwell revealed that 95% of his company’s revenues already come from worldwide export, including the market-leading cyber security countries such as US, Israel and Japan. One reason for his high level of export business was the mindset of potential UK buyers who tended to purchase from market leaders, he added.


The question remained: Given the technology prowess in the south east, and the Thames Valley in particular, how do we seize that and turn it into a virtue rather a risk?


Is it an innovative industry? asked Murray “Absolutely!” came the Roundtable reply.


Pudwell: “We have some great universities and colleges here, and our R&D work is as good as anybody’s. GCHQ is world-class and we have some huge advantages, such as government support for R&D through tax benefits.” Commercial links with universities were becoming increasingly easy to set up.


“Around the world there is also a huge respect for the professional UK way of doing business, and part of that is trust. There is concern that technology from other parts of the world they may have back-doors


Mike Williams THE BUSINESS MAGAZINE – THAMES VALLEY – APRIL 2012


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52