ISPs treat cyber security as a top priority

Better law enforcement training and coordination of cyber security and support for a government-backed awareness campaign are two key findings of an ISP survey by the Internet Services Providers’ Association (ISPA).

ISPs treat cyber security

Cyber security has risen up the agenda for business, policymakers, government, law enforcement and users in recent times, yet it has always been a priority for ISPs. ISPA surveyed its members across a range of cyber security areas, including where it sits in their business, the nature and impact of cyber-attacks, the tech used to safeguard networks and the role of end users, Government and law enforcement.

Cyber security is a rising priority, with senior responsibility within the company as ISPs and customers are subject to regular attacks. ISPs play a proactive role through network protection, customer support and by working with authorities to help mitigate threats. Government and law enforcement should prioritise awareness raising and education, and improve how they deal with reports and coordination of cyber security.

The survey shows a real belief among ISPA members in a partnership approach with different stakeholders playing their part. This means government, law enforcement, Internet companies, individual users, ISPs and businesses all working together to protect networks, follow good cyber hygiene, mitigate threats and bring offenders to justice.

Cyber security is critical for ISPs

With over 90% of ISPs coming under some form of attack, over three quarters of respondents planned to spend more on cyber-security. Responsibility for cyber-security lies with the top layer of management for 93% of respondents and over three quarters said it had become an even more important priority in the last five years. Cyber is good for business too, with 75% saying they had been asked about cyber security by potential customers.

ISPs are concerned that intrusive powers in the Investigatory Powers Bill will compromise security, and that better enforcement and more prosecutions were more effective than new regulation.

ISPs take a proactive role

85% of those surveyed said ISPs should take a proactive role in cyber security, with 92% offering free tools and assistance for customers and 100% either have reported or would report breaches, and more than two-thirds sharing information with industry colleagues.

Government and law enforcement need to up their game

Law enforcement needs to improve how it handles cyber-crime with a wide gap in reports actually leading to successful investigations. Of the 83% of respondents who reported cyber-crime to the police, only 20% felt reports were consistently followed up and 30% said reports received no response at all. When asked how cyber-crime could be better handled, ISPs said the police needed more funding and better training, better threat information sharing and a new education and public information campaign for end users.

10 key findings

The results from the ISPA members that were surveyed reveal 10 key findings:

1. Cyber-security is an increasing priority for 79% of ISPs surveyed, 77% said spending is increasing and MDs or C-Suite executives are accountable for cyber-attacks.

2. 92% are subject to cyber-attacks on a daily (31%), weekly (23%) or monthly (38%) basis.

3. ISPs provide a wide variety of tools and services to protect networks and tools to end users.

4. 85% of those surveyed said ISPs should have a proactive role to play in maintaining customer protection and mitigation.

5. ISPs take a proactive approach, with 84% of those surveyed having reported incidents and breaches and 92% provide advice and tools.

6. ISPs want Government to focus on awareness raising (64%) rather than creating new regulations (18%) to meet the challenges of cyber security.

7. Law enforcement should prioritise better training (83%) and coordination with industry (83%), as well as increase funding (58) and prosecutions (50%).

8. 91% are concerned about Government surveillance measures impacting on network security.

9. There is inconsistency with how law enforcement deals with ISP incident reporting.

10. While a large number of public bodies are in contact with ISPs, a third receive little or no contact.

Recommendations

In response to the survey, ISPA has made the following recommendations:

1. Government should focus be on education, awareness and work collaboration with industry rather than resorting to legislation

2. Government must consider the damage surveillance legislation can have on network security, such as the intrusive hacking powers within the Investigatory Powers Bill

3. Law enforcement should prioritise better training of officers and coordination of cyber security

4. There needs to be more consistency when an ISP reports a case to law enforcement so that all reports are followed up and investigated to bring criminals to justice

5. Authorities must do more to reach out to the full breadth of the ISP industry, engaging them in information sharing work and consultation