Ely, England, 5 December 2011 – The widely anticipated UK Government’s Cyber Security Strategy was finally published at the end of November and, since then, it has caused some mixed reactions amongst business representatives across various sectors. Whilst many senior people are optimistic about the future safety of the UK’s cyberspace, some experts are more cautious and warn all types of organisations that they need to take information security more seriously.
The UK Government has stated that it will try to bolster defences against cyberattack by encouraging companies to admit computer security breaches and share their experiences with each other.
However, cybersecurity incidents that marked 2011 showed that organisations, including banks like Citigroup and big technology companies like Sony, are reluctant to admit that they have become victim of a data breach.
In an interview for Reuters, Alan Calder, a leading information security expert and CEO of Ely based company IT Governance Ltd, said, "If you are a large international bank, you don't want to admit you found you were penetrated nine months ago, because that implies you weren't paying attention".
He added, "I don't think it will work. The core target, the defence and financial sector, are much more likely to say nothing, unless there is regulatory requirement to do so".
Speaking to risk.net, Calder commented, “The big thing is that, while the government talks about needing to take the lead and have a public private partnership, what it really needs to be doing is making sure companies in the UK financial sector, and outside the financial sector, take information security a massive amount more seriously".
The new Cyber Security Strategy consist of four key elements: making sure the public are safe online and ensuring the UK is a good place to do online business; making the UK more resilient to cyberattack and better able to protect its interests; ensuring the UK can shape an open, secure and vibrant cyberspace; and building UK’s knowledge, skills and capacity to underpin these objectives.
Calder is adamant about ISO27001-implementation being one of the key measures organisations need to undertake in order to improve their information security and protect their information assets. ISO27001 is the internationally recognised information security standard which helps establish and maintain an effective information management system, using a continual improvement approach.
Calder and his company have helped a lot of clients align their information technology with their business objectives by helping them implement an information security management system which is aligned to ISO27001. The company has just launched their new ISO27001 Feasibility and Gap Analysis service and they carry out penetration testing as part of their comprehensive consultancy offering.
Working closely with clients, Alan sees the need for organisations to formally train their IT staff, but also to educate their non-technical staff.
Speaking to info 4 security online magazine, Alan said: “To be blunt, staff will be the weakest link. As technical defences improve, so attackers will increasingly seek to exploit human error, ignorance and vulnerabilities. Staff education and training in all aspects of cybersecurity is vital”.
Apart from certified professional foundation and advanced level training, IT Governance also provides in-house staff awareness courses which are an effective way to bring core information security principles to non-technical employees.
To find out more about IT Governance’s consultancy services go to www.itgovernance.co.uk/consulting.aspx and for information on training visit www.itgovernance.co.uk/training.aspx. Alternatively you can call the company’s friendly customer service team on 0845 070 1750, or e-mail them at firstname.lastname@example.org.