The Biggest Challenge to Assuring Cyber Security? Inadequate Data

It's not the sturdiness of the defenses but the quality of the thinking that goes into planning those defenses.

History is replete with tales of supposedly impregnable fortresses falling to under-resourced but clever antagonists. There are many who still like to exclaim that the net changes everything. The reality, however, is that humans havent changed all that much and they still design, program and maintain the systems charged with defending whatever realm is in question.

It stands to reason that in a knowledge-based economy whose primary medium for identification, storage, management and communication of value is technological, that data would be central to any strategy devised to protect those initiatives. As the following article explains, however, information about the source, nature and extent of such threats remains woefully inadequate.

This is especially true as most of 'the wealth of nations' is now counted in bits and bytes rather than doubloons or bars of gold. Another one of the seemingly eternal verities that the net has not rendered obsolete is that the best defense is a good offense. Obtaining adequate data in order to rationally and effectively plan to counter threats would appear to be the key to that strategy. JL

Vanessa Kortekaas reports in the Financial Times:

More than half the finance directors at the UK’s biggest companies say they do not have enough information to stave off cyber attacks effectively.

The findings from big four accountancy firm PwC follow the recent government initiative to help companies fight serious cyber attacks, amid growing concerns about cyber threats. Fifty-three per cent of chief financial officers or financial controllers at 196 UK and global companies surveyed by PwC said they had “very little or insufficient data to manage cyber risk well”. That is despite 58 per cent of the companies surveyed indicating that they faced “substantial or critical” cyber security risks. “Boards and business leaders are increasingly aware of organised and rapidly evolving cyber threats, but there remains a wide gap between this knowledge and what many are able to do about it,” said Brian Furness, a partner at PwC.
Only 12 per cent of the respondents told PwC that they had a formal process for assessing technology-related risks to their company, such as hacking.
“In challenging economic times it is the role of the successful finance function to support organisations’ attempts to mitigate these threats. The best are already doing this but others have a way to go,” Mr Furness added.
The research was conducted by PwC throughout this year and formed part of an annual review of companies’ finance functions – including compliance controls, and accounting efficiency.

Last month, more than a dozen men were arrested for their alleged involvement in two separate cyber attacks against Barclays and Santander.

The thwarted cyber attack against Santander involved suspects allegedly attempting to access computers remotely at one of the bank’s branches in southeast London, by using a device that could be fitted to a computer within the branch to enable transmission of the device’s contents.

The increasing number of cyber attacks has become a concern to the UK’s financial regulator, and the Prudential Regulation Authority has already asked banks to provide detailed information about their resilience to such attacks.

Last month the UK became the first country to openly declare that it is developing the capability to carry out offensive cyber attacks against other nations.

Philip Hammond, defence secretary, said in September that the UK was “developing a full spectrum military cyber capability, including a strike capability”. He said the government’s efforts to bolster its cyber combat capabilities included employing hundreds of computer experts as reservists in the armed forces.