UK gov: Brit biz barons, get your privates in check before the spooks arrive
MI5 and GCHQ rub hands with glee at FTSE350 security audit
Spooks from GCHQ and MI5 will be given insider access to the UK's top 350 companies in a bid to reduce any damage caused by hackers wreaking havoc upon Blighty-based businesses.
A letter to the FTSE 350 chairmen – signed by MI5 director general Andrew Parker, GCHQ director Iain Lobban and Universities Minister David Willetts – argues that cyber attacks are causing increasing damage to the UK's economic well being.
The "Cyber Governance Health Check" is built on the UK government’s existing Cyber Security Strategy, which aims to make the UK one of the best places in the world for e-business, viewed as a key factor in fuelling economic growth.
Company chairmen and chairs of audit committees will be asked to complete a questionnaire to assess the cyber awareness of their businesses.
Firms that agree to participate will be able to review the results of their own efforts against anonymised results from their peers; a move seen as helping big names identify potential flaws in their cyber security procedures. If successful, the voluntary scheme would help to promote best practice across industry as well as setting a benchmark by which individual cyber security programmes might be judged.
The programme, expected to begin in November, aims to push firms towards developing a more comprehensive and better-thought-through risk management strategy. In some ways the scheme resembles the self-assessment audits that smaller retailers are obliged to complete under the credit card industry's PCI DSS security scheme.
"This seems to be like PCI but with membership of the FTSE 350 as the qualifier," security blogger and CISO Quentyn Taylor told El Reg
"Cyber security is vital for your business and for the country as a whole. The cyber threat is diverse and continues to grow, from those looking to seize commercial advantage and intellectual property to those looking to destroy critical data and undermine the integrity of systems," the letter from government and spooks states.
"We very much hope to secure your support for the Cyber Governance Health Check which we believe will be of real benefit both to your company and broader UK interests."
Malcolm Marshall, global head of information protection and resilience at KPMG, who worked on KPMG’s own research into the cyber vulnerability of the FTSE 350, commented: "The Government’s initiative is an integral part of the fight against cyber crime. By building an understanding of UK plc’s cyber defences, organisations will be in a better position to make the decisions and take the actions necessary to prevent data theft and ensure Britain is not just open, but safe, for business."
Brian Honan, an experienced infosec consultant, told El Reg that unless the cyber government health checks are regularly carried out they will have little benefit. He pointed out since the scheme is voluntary take up rates remain uncertain.
"On the face of it the proposed scheme may have some merit, however just as in real life a once off health check may not give any long term benefits," Honan explained. "A point in time health check by your doctor may not necessarily prevent you having a heart attack 12-18 months later if there is not an on-going health regime."
"Similarly a point in time cyber security health check may give a false impression of security to the board which could prove fatal at a later stage. If there are no on-going checks and subsequent steps to improve security then the exercise may turn out to be a simple tick box exercise for auditors and the board. As a voluntary scheme it will also be interesting to see what level of take up there will be in it, given that many of the FTSE 350 businesses are most likely heavily regulated due to their size and nature," he added.
The UK government initiative follows a report by management consultants KPMG, released earlier this week, that said every one of the FTSE 350 companies were leaking data that can be used by hackers to gain control of their trade secrets or carry out fraud. Firms across the FTSE 350 are inadvertently leaking data by leaving employee usernames, email addresses and sensitive internal file location information online, and therefore able to be used by hackers.
Ironically, KPMG is making exactly the same errors it criticises in others, according to an investigation by security blogger Graham Cluley. Not only are workers' email addresses exposed but a simple Google search uncovered a number of PDF files and PPTs on KPMG's own site that are marked as "confidential".
Quizzed on these findings, a KPMG spokeswoman attempted to sidestep these snafus, arguing that's reports was designed to raise awareness about the leakage issue.
"KPMG put its own site through the same examination as we did other sites," she told El Reg. "We recognise that many websites provide some level of data leakage and with this in mind, the purpose of our report is to highlight concerns so they can be dealt with, rather than highlight individual weak spots. We were careful not to reveal specific weaknesses of any company as it would be inappropriate to do so." ®