The financial services industry, of course, faces a greater risk of attack than most sectors and is subject to greater scrutiny. It has undoubtedly made significant strides to improve security, spending around 10 per cent of its IT budget on the endeavour (a figure matched only by telecoms and manufacturing), according to the 2012 Information Security Breaches report.
It has also led the way in terms of improving user authentication controls, detecting fraud (both internal and external) and educating customers about security threats. Such a response has largely been borne of commercial necessity. As the survey notes, financial services is the sector most affected by customer impersonation and identity fraud. “Criminals currently appear to find it easier to make money by impersonating the customers of banks,” it states.
In his keynote speech at the Infosecurity Show, Minister of State for Universities and Science David Willetts, whose remit includes cybersecurity, praised the sector for its “attitude shift”, noting that in recent years there had been a sea change in financial services companies’ willingness to co-operate with one another in order to understand and combat threats better and faster. He urged other sectors of the economy to take a similar approach and share information on attacks, as well as to work collaboratively across the public and private sectors to improve defences.
Different sectors face different levels and types of threat, of course. Most of the successful incursions into company systems and networks could have been avoided if companies had just got the infosecurity basics right.
Professor Walker says organisations have for too long ignored the experts’ warnings. “When you report to an organisation’s CISO and security directorate that they are hosting significant security vulnerabilities, leaking information and presenting an opportunity for malware to enter and leave their logical premises undetected, as well as being exposed to a high level of insider threat, only to have your report ignored – it does make you realise, Houston we have a problem,” he says.
The UK Cyber Security Strategy launched by Minister for the Cabinet Office Francis Maude in November last year states: “The technical capabilities that enable a wide range of actions to protect the UK need strengthening. But it is clear that our approach to the risks in cyberspace must not rely on technical measures alone. Changes in attitudes and behaviours will also be crucial to operating safely in cyberspace.”
Changing attitudes, raising awareness
Those responsible for driving information security in leading organisations also believe changing attitudes is a key part of their role. They recognise they must better communicate the real risks and available options to boards in order to secure adequate resources for information security. Equally, they understand the importance of raising user awareness and changing behaviours.