20 January 2015
Government minister Ed Vaizey explains the initatives which are set to strengthen the UK’s digital economy
Rarely a day goes by without a new story relating to hacking or cyber security. The news is currently awash with details of a huge data breach at Sony Pictures and the resulting fallout. Everything from passwords and employee personal details to intellectual property and financial information appears to have been stolen, with much of it posted online. Sony is now fighting a battle to preserve its reputation and get its business back on its feet.
A string of banks, retailers, big tech firms and public institutions have experienced similar problems in recent years. It is easy to be blasé about some of these high-profile data thefts, especially when they are happening to large corporates in far-away countries. However, we are all at risk if we do not take basic precautions.
The growth of the internet has transformed our everyday lives and it is an important part of our economy. The internet-related market in the UK is estimated to be worth £82 billion a year and British businesses earn £1 in every £5 from the internet. I am proud of our strengths in technology, innovation and creativity; our economy benefits hugely from these factors. This is why it is so crucial in a modern, digital economy to ensure we do business online in a safe and secure way.
The scale of the cyber threat is significant: 60% of small businesses and 81% of large organisations reported an information security breach in the past year. The average cost of the worst breaches runs into hundreds of thousands of pounds – and sometimes into the millions for larger firms.
The threat is coming from a wide range of actors including criminals, hacktivists and state-sponsored groups. Although many cyber attacks are opportunistic and rely on the exploitation of poor basic IT set-ups and processes, there is also an ‘advanced persistent threat’, where sophisticated tools are used for industrial espionage and to steal commercial secrets and IP. With UK firms investing an estimated £126.8 billion in knowledge assets, compared to £87.9 billion in tangible assets, it is easy to see how valuable this area of our economy is.
The Government is in the midst of delivering a five-year National Cyber Security Programme to protect and enhance the UK in cyber space, backed with £860 million of investment. Our aim is to make the UK one of the safest places in the world to do business in cyber space. As a leading digital economy, we need to ensure the UK is secure enough to protect businesses, promote growth and attract investment. We are doing this by working in partnership with the private sector, law enforcement, academia and with our worldwide partners. The partnership with industry is absolutely crucial, not only because the private sector owns and operates much of the infrastructure our digital economy relies on, but because industry is our engine for growth and prosperity.
ICSA has been making its own contribution to this partnership. Its members are in the crucially important position of being able to positively influence the boardrooms of their companies and clients. ICSA’s guidance note on cyber risk recognises the importance of treating cyber security as a strategic business risk rather than simply a problem best left to the IT department. Managing cyber risk means considering people and processes, as well as technology. This encompasses the whole company, including human resources, finance, IT, marketing and legal. The Institute is continuing to champion the issue of cyber security and I welcome the role it is playing in raising awareness and encouraging action.
With the help of ICSA and other industry partners we are making significant progress. The Government’s 10 Steps to Cyber Security guidance, showing how organisations can manage cyber risk and protect their valuable assets, has been viewed over 30,000 times. This shows that cyber security is now on the agenda in UK boardrooms. Our Cyber Security Governance Health Check carried out in 2013 with FTSE 350 firms showed 62% of companies think their board members are taking the cyber risk very seriously, and 60% understand what their key information and data assets are. We ran the health check again during 2014 and will be publishing the results shortly. Our 2014 Information Security Breaches Survey showed the overall number of cyber attacks going down, although there is no room to be complacent as the survey also shows the cost and impact of those attacks is increasing.
The Government is continuing to work hard to protect our economy. I recently launched a free cyber security training package at the Law Society to upskill professionals in the legal and accountancy sectors. We are also working to address the cyber threat with other sectors such as retail and finance. We recently published Cyber Security Guidance for Non-Executive Directors, giving NEDs the knowledge and confidence to help their boardroom colleagues protect their businesses. The current Cyber Streetwise campaign you may have seen on your train to work is also helping small businesses and consumers understand the good behaviours they need to practice online.
All this work was detailed in the recent announcement to mark the third anniversary of the National Cyber Security Strategy. The progress report contained details of the Cyber Security Information Sharing Partnership, a joint Government and industry initiative to share cyber threat and vulnerability information and increase overall situational awareness of potential threats. The partnership is helping reduce the impact of cyber attacks on UK businesses. Around 750 organisations have now joined, a 50% increase on the target we set for the end of 2014. The more partners that join, the more information is shared and the better our collective resilience. We are encouraging all businesses to join now.
The Sony breach reminds us that if a business has important digital assets, it needs to make protection of those assets a priority. Failing to properly protect these assets is akin to leaving the safe open at night or failing to lock the front door of the jewellery shop. Cyber Essentials, the new Government-backed and industry-supported scheme, shows businesses how they can get the basics right and protect themselves against the most common threats. Analysis by the Government and security agencies shows at least 80% of successful cyber attacks on businesses could have been prevented with these basic measures in place. The five basic controls in Cyber Essentials are the minimum all businesses with digital assets should have in place – we encourage large and small businesses across the economy to adopt Cyber Essentials. The Government now requires many suppliers of products and services to hold Cyber Essentials certification – organisations like Barclays, Vodaphone and CBI are already certified. As well as providing actual protection against threats, certification allows organisations to display the Cyber Essentials badge and demonstrate to customers and clients they take cyber security seriously.
This last point is key: it is important to see technology and security as an enabler, rather than a threat that needs to be dealt with. As well as protecting sensitive data and intellectual property, good cyber security can boost reputations and provide a competitive selling point. This can be seen widely in how businesses are using technology to innovate and provide new products and services.
The UK’s digital sector now employs more than one million people and over the past 10 years, the ICT sector has grown over three times faster than the whole economy. In 2012, the sector contributed 8% (£106 billion) of GVA to the UK. The online world is acting as an enabler for businesses right across the economy, which is why cyber security is so important for this Government and why we need to continue working with our partners in industry. The protection of our knowledge and intellectual property is crucial to our future success and is a key feature of our work to make the UK the most advanced digital economy in the world.
ICSA’s guidance note on cyber risk can be found on the website by clicking here and more information about its cyber training course can be found here.
Online Government resources:
10 Steps to Cyber Security guidance can be found here on the government website
Cyber Security Governance Health Check can be found here on the government website
Cyber Security guidance for Non-Executive Directors can be found here on the government website
Cyber Essentials free documents are available at www.cyberstreetwise.com/cyberessentials
Ed Vaizey is Minister for Culture and the Digital Economy at the Department for Business, Innovation & Skills