A report from the National Audit Office has warned that Britain’s IT skills shortage means that the country and its critical infrastructure could be unable to defend itself from cyber attacks for at least 20 years.
It also reported that the UK suffered 44 million cyber attacks in 2011 – approximately 120,000 per day, costing the country more than £27bn annually.
In an effort to increase the level of computer expertise, it is proposed that science and technology be promoted properly in schools to ensure that the number of cyber security specialists grows in line with the nature of the threat.
Paul Davis, director of Europe at FireEye comments:
It is hardly surprising that we are deemed unprepared to tackle current cyber security threats – as until recently, there has been a long-standing culture of complacency when it comes to proper cyber defence. While it is true that our national bank of computer experts is light in comparison to the number of cybercriminals attempting to break into our networks, there is also the issue that widespread overreliance on obsolete security tools and low awareness of the advanced tactics used by hackers is leaving too many networks wide open to attack.
The stakes have never been higher, and cyber security is no longer a conversation restricted to the IT team – it is an enterprise-wide concern that must be treated as such. The advanced capabilities of hackers and the increased storage of highly sensitive data has created a perfect storm for cybercrime, and it is essential that board level executives are able to gauge the vulnerabilities within their organisation, and understand what investments must be made to combat that security risk.
It is a great step forward to propose greater promotion of science and technology in schools to develop the next generation of cyber security experts, but what happens in the meantime? Organisations, particularly those with vulnerable intellectual property or critical national infrastructure to defend must urgently up the ante on security to avoid the potentially devastating consequences of attack. Constant monitoring and proactive threat mitigation are essential for bulletproof protection. With so many attacks reported daily, the odds really are stacked against organisations – and it’s time to fight fire with fire.
Ross Brewer, managing director and VP, international markets, LogRhythm comments:
While the report paints a pretty bleak future for the nation, it should in fact be welcomed as evidence that the government is finally catching up to the true risk of online attacks. It’s also encouraging to see that the government is continuing in its line of investing in the next generation of IT specialists, following last year’s announcement that it would be plugging £8 million into the development of security skills at universities to help battle against cybercrime.
Reactive IT defences are undeniably outdated, and as Amyas Morse rightly stated today, organisations both public and private must be constantly aware of the cyber threat if the nation is to have any hope at protecting itself against attacks. As our world becomes increasingly connected and as data volumes grow at unprecedented rates, the potential for intellectual property or other critical information to get compromised in the chaos, or exposed to attacks, grows exponentially. However, being “too proactive’ – such as in the form of pre-emptive strikes, as have been previously recommended by other government bodies – could incite disturbing consequences such as the execution of even more sophisticated state-sponsored attacks on the UK’s critical infrastructure.
Rather than launching pre-emptive cyber attacks, or relying solely on perimeter IT defences, we must start to introduce mechanisms that give context to data and facilitate a deeper understanding of all network activity, as it happens. In doing so, we must turn our mindset towards proactive, continuous monitoring of IT networks to ensure that even the smallest intrusion or anomaly can be detected before it becomes a bigger problem for all – after all, you can only defend against that which you can see. Hopefully this report will help enterprises and public entities acknowledge the level of constant awareness that is required to protect the data that they are entrusted with.