UK businesses urged to conduct cyber "health checks" by security agencies

Out-Law News | 26 Jul 2013 | 9:42 am | 2 min. read

Leaders of the UK's leading security agencies have called on the country's biggest businesses to carry out a "Cyber Governance Health Check", according to press reports.

The directors of domestic security agency MI5 and intelligence agency GCHQ have written to the chairs of FTSE 350 companies as part of a new initiative to raise corporate awareness of cyber crime, according to the Financial Times.

Company chairs and audit committee heads will be asked to complete a questionnaire with questions on how they protect company intellectual property and customer data, the FT said. The results of this questionnaire will then be aggregated anonymously to allow companies to see how they rank compared to their peers. Auditors will be contacted to discuss areas in which a company may be particularly vulnerable under a proposed second stage of the initiative, according to the FT.

The new initiative follows the publication earlier this week of research showing that every company listed on the FTSE 350 was "leaking" the sort of data that could be used by attackers to gain access to their systems and control of their intellectual property. On Tuesday, homeware retailer Lakeland informed its customers that it was resetting their passwords after hackers gained access to two of its databases, according to a statement on its website.

"The Government's initiative is a welcome and timely addition to the fight against cyber crime," said Simon Collins, chair of professional services firm KPMG, which carried out the research and has agreed to support the Health Check programme. "It will raise the profile of the risks and highlight that all of us, as part of UK plc, need to plug gaps in our security before leaks become a flood."

KPMG announced on Wednesday that it had been able to collect employee usernames, email addresses and sensitive internal file location information about every FTSE 350 company using data found publicly on the internet. On average 41 usernames, 44 email addresses and five internal file locations were available for each company, it said.

Although none of the data was obtained by breaching companies' existing cyber security mechanisms, KPMG said that what was available could be used by attackers to carry out fraud or gain control of their intellectual property. For example, hackers could gain unrestricted access to a corporate network by sending 'phishing' emails to internal email addresses, it said. These emails contain a link to an internet page containing malware or that can trick a user into entering sensitive information such as passwords or credit card details. KPMG said that companies in the aerospace and defence sector recorded the highest number of publicly available internal email addresses.

The research also indicated that more than half of all FTSE 350 companies did not have up to date security patches or were using old server software, making them more vulnerable to cyber attacks. KPMG was surprised to find that companies in the support services, software and computer services sectors were most vulnerable to attack.

Last year, the Department for Business, Innovation and Skills (BIS), the Centre for the Protection of National Infrastructure and GCHQ produced joint new guidelines on cyber security. The guidance included ten steps that businesses can take to reduce cyber risks. However, just 13% of FTSE 350 boards have discussed this guidance and acted upon it, according to a survey carried out on behalf of the FT earlier this month