Out-Law News 2 min. read
14 Oct 2013, 3:55 pm
In a report detailing its competitive analysis of the UK cyber security sector (94-page / 6.21MB PDF), Pierre Audoin Consultants (PAC) recommended that the Department for Business, Innovation and Skills (BIS) "promote approvals for suppliers and ‘kite-marking’ for e-commerce sites".
"BIS can justify such efforts on the basis of the potential cost to industry of data breaches ... and the opportunity cost to the UK economy of business potentially being conducted elsewhere if local firms are not trusted to be secure," the report said.
PAC said that it was important that small and medium sized businesses (SMEs) could identify and work with suppliers that are "certified as knowledgeable and competent in cyber security" and said a scheme that can enable this certification that is both "widely available and adopted" is necessary.
The consultancy called on BIS to do more to raise awareness of cyber security matters after it identified that SMEs are often either unsure how to respond to threats publicised in the media or "don't really care".
"While we recognise that BIS has made some effort in this regard, for example through the ‘10 Steps’ documents, a consistent and persistent programme is required," it said. "We think that this should be driven through SME ‘influencer’ bodies that have the reach and impact required."
"For SMEs the most effective channels of communication are likely to involve trusted third parties, such as ISPs, accountants, chambers of commerce and associations & forums," PAC added.
Last year BIS, the Centre for the Protection of National Infrastructure and UK intelligence agency GCHQ produced joint new guidelines on cyber security. The guidance included ten steps that businesses can take to reduce cyber risks.
However, according to a survey undertaken on behalf of the Financial Times and the Institute of Chartered Secretaries and Administrators (ICSA), just 13% of FTSE 350 boards have discussed the Government's cyber security guidelines and acted upon them. A further 8% said they had discussed the guidelines but not acted on them.
Almost half (47%) of the company secretaries at the 53 FTSE 350 businesses that responded to the survey said their board had not discussed the Government's guidance, whilst a further 28% said that their board had not seen it.
In its report, PAC called on the Government to do more to promote the importance of cyber security within the boardrooms of large UK businesses. It called on BIS to work with the Institute of Directors to ensure company directors are trained in cyber security.
BIS was also urged to "disseminate more widely knowledge of the impact of [data] breaches and popularise this amongst SMEs in particular" so that businesses can more easily "put a value on a breach or loss of data".
"Ideally, an economic model of cyber risk that allowed finance directors to make appropriate provision would be valuable, and would gain board-level attention," PAC said. "Insurance companies may have a role to play in valuations of cyber liability, although more research into this area is required."