Feeds

UK gov: Brit biz barons, get your privates in check before the spooks arrive

MI5 and GCHQ rub hands with glee at FTSE350 security audit

Choosing a cloud hosting partner with confidence

Spooks from GCHQ and MI5 will be given insider access to the UK's top 350 companies in a bid to reduce any damage caused by hackers wreaking havoc upon Blighty-based businesses.

A letter to the FTSE 350 chairmen – signed by MI5 director general Andrew Parker, GCHQ director Iain Lobban and Universities Minister David Willetts – argues that cyber attacks are causing increasing damage to the UK's economic well being.

The "Cyber Governance Health Check" is built on the UK government’s existing Cyber Security Strategy, which aims to make the UK one of the best places in the world for e-business, viewed as a key factor in fuelling economic growth.

Company chairmen and chairs of audit committees will be asked to complete a questionnaire to assess the cyber awareness of their businesses.

Firms that agree to participate will be able to review the results of their own efforts against anonymised results from their peers; a move seen as helping big names identify potential flaws in their cyber security procedures. If successful, the voluntary scheme would help to promote best practice across industry as well as setting a benchmark by which individual cyber security programmes might be judged.

The programme, expected to begin in November, aims to push firms towards developing a more comprehensive and better-thought-through risk management strategy. In some ways the scheme resembles the self-assessment audits that smaller retailers are obliged to complete under the credit card industry's PCI DSS security scheme.

"This seems to be like PCI but with membership of the FTSE 350 as the qualifier," security blogger and CISO Quentyn Taylor told El Reg

"Cyber security is vital for your business and for the country as a whole. The cyber threat is diverse and continues to grow, from those looking to seize commercial advantage and intellectual property to those looking to destroy critical data and undermine the integrity of systems," the letter from government and spooks states.

"We very much hope to secure your support for the Cyber Governance Health Check which we believe will be of real benefit both to your company and broader UK interests."

Malcolm Marshall, global head of information protection and resilience at KPMG, who worked on KPMG’s own research into the cyber vulnerability of the FTSE 350, commented: "The Government’s initiative is an integral part of the fight against cyber crime. By building an understanding of UK plc’s cyber defences, organisations will be in a better position to make the decisions and take the actions necessary to prevent data theft and ensure Britain is not just open, but safe, for business."

Brian Honan, an experienced infosec consultant, told El Reg that unless the cyber government health checks are regularly carried out they will have little benefit. He pointed out since the scheme is voluntary take up rates remain uncertain.

"On the face of it the proposed scheme may have some merit, however just as in real life a once off health check may not give any long term benefits," Honan explained. "A point in time health check by your doctor may not necessarily prevent you having a heart attack 12-18 months later if there is not an on-going health regime."

"Similarly a point in time cyber security health check may give a false impression of security to the board which could prove fatal at a later stage. If there are no on-going checks and subsequent steps to improve security then the exercise may turn out to be a simple tick box exercise for auditors and the board. As a voluntary scheme it will also be interesting to see what level of take up there will be in it, given that many of the FTSE 350 businesses are most likely heavily regulated due to their size and nature," he added.

The UK government initiative follows a report by management consultants KPMG, released earlier this week, that said every one of the FTSE 350 companies were leaking data that can be used by hackers to gain control of their trade secrets or carry out fraud. Firms across the FTSE 350 are inadvertently leaking data by leaving employee usernames, email addresses and sensitive internal file location information online, and therefore able to be used by hackers.

Ironically, KPMG is making exactly the same errors it criticises in others, according to an investigation by security blogger Graham Cluley. Not only are workers' email addresses exposed but a simple Google search uncovered a number of PDF files and PPTs on KPMG's own site that are marked as "confidential".

Quizzed on these findings, a KPMG spokeswoman attempted to sidestep these snafus, arguing that's reports was designed to raise awareness about the leakage issue.

"KPMG put its own site through the same examination as we did other sites," she told El Reg. "We recognise that many websites provide some level of data leakage and with this in mind, the purpose of our report is to highlight concerns so they can be dealt with, rather than highlight individual weak spots. We were careful not to reveal specific weaknesses of any company as it would be inappropriate to do so." ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
DOUBLE BONK: Testy fanbois catch Apple Pay picking pockets
Users wail as tapcash transactions are duplicated
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
In the next four weeks, 100 people will decide the future of the web
While America tucks into Thanksgiving turkey, the world will be taking over the net
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.