Office of Cyber Security suggests new standards to raise awareness of cyber crime

Disclosure, insurance deals and kitemarks the way forward, says director James Quinault

Better disclosure, success-based insurance breaks and kitemark standards on cyber security products are the three ways the Office of Cyber Security believes the UK government should encourage businesses to take more notice of cyber crime, according to Office director James Quinault.

Quinault was speaking at today's Westminster Cyber Security Strategy eForum.

"We've tried to make sure we send a coordinated message about the importance of managing [cyber security] as a business risk," said Quinault.

"But we don't think that awareness rises by itself. At the moment, until you get stung, there's not a lot of money riding on this. You don't get points for being good at it, it doesn't cost you until that terrible moment comes if you're bad."

However, Quinault said that the government is against funding a cyber security awareness campaign aimed at business because it feels that the industry "moves too fast". He offered a threefold solution.

The first step, Quinault said, is to encourage more disclosure.

"We won't improve awareness until there's more information out there that firms can use to benchmark themselves against, because it's important to have some way of crystallising what good looks like," he said.

Quinault suggested firms that exemplify best practice should get public recognition of this, and outlined plans that would see such companies receiving discounted insurance premiums.

"It's a quick way of getting some money resting on the decision to be good at this," said Quinault. "If you can successfully demonstrate to your insurer that, because of the steps you've taken, there's a lower risk of expensive interruptions to your business due to IT failure [then you should be rewarded]."

Finally, Quinault suggested a kitemark standard scheme for cyber security products.

"One of the things suppressing investment in this area is that customers can't tell the difference between good stuff that might help them, and the snake oil," said Quinault. "Until we find some way to break through that, it's going to continue being a barrier."

But Michael de Crespigny, CEO of the Information and Security Forum, was not convinced that kitemarks would have any meaningful value.

"Today, there are over 50 different information security standards. It's created fog and confusion, and distracts from progress. There's as much debate about standards as there is about actually getting on and doing something."

Crespigny added: "While the concept of kitemarks is interesting, the level of risk faced in banking is quite different to aerospace, infocomms and other sectors. So it's important that when an organisation looks at how well it's exercising control, it's in the context of risk and being able to compare itself to its peers."