Feeds

UK gov: Brit biz barons, get your privates in check before the spooks arrive

MI5 and GCHQ rub hands with glee at FTSE350 security audit

Remote control for virtualized desktops

Spooks from GCHQ and MI5 will be given insider access to the UK's top 350 companies in a bid to reduce any damage caused by hackers wreaking havoc upon Blighty-based businesses.

A letter to the FTSE 350 chairmen – signed by MI5 director general Andrew Parker, GCHQ director Iain Lobban and Universities Minister David Willetts – argues that cyber attacks are causing increasing damage to the UK's economic well being.

The "Cyber Governance Health Check" is built on the UK government’s existing Cyber Security Strategy, which aims to make the UK one of the best places in the world for e-business, viewed as a key factor in fuelling economic growth.

Company chairmen and chairs of audit committees will be asked to complete a questionnaire to assess the cyber awareness of their businesses.

Firms that agree to participate will be able to review the results of their own efforts against anonymised results from their peers; a move seen as helping big names identify potential flaws in their cyber security procedures. If successful, the voluntary scheme would help to promote best practice across industry as well as setting a benchmark by which individual cyber security programmes might be judged.

The programme, expected to begin in November, aims to push firms towards developing a more comprehensive and better-thought-through risk management strategy. In some ways the scheme resembles the self-assessment audits that smaller retailers are obliged to complete under the credit card industry's PCI DSS security scheme.

"This seems to be like PCI but with membership of the FTSE 350 as the qualifier," security blogger and CISO Quentyn Taylor told El Reg

"Cyber security is vital for your business and for the country as a whole. The cyber threat is diverse and continues to grow, from those looking to seize commercial advantage and intellectual property to those looking to destroy critical data and undermine the integrity of systems," the letter from government and spooks states.

"We very much hope to secure your support for the Cyber Governance Health Check which we believe will be of real benefit both to your company and broader UK interests."

Malcolm Marshall, global head of information protection and resilience at KPMG, who worked on KPMG’s own research into the cyber vulnerability of the FTSE 350, commented: "The Government’s initiative is an integral part of the fight against cyber crime. By building an understanding of UK plc’s cyber defences, organisations will be in a better position to make the decisions and take the actions necessary to prevent data theft and ensure Britain is not just open, but safe, for business."

Brian Honan, an experienced infosec consultant, told El Reg that unless the cyber government health checks are regularly carried out they will have little benefit. He pointed out since the scheme is voluntary take up rates remain uncertain.

"On the face of it the proposed scheme may have some merit, however just as in real life a once off health check may not give any long term benefits," Honan explained. "A point in time health check by your doctor may not necessarily prevent you having a heart attack 12-18 months later if there is not an on-going health regime."

"Similarly a point in time cyber security health check may give a false impression of security to the board which could prove fatal at a later stage. If there are no on-going checks and subsequent steps to improve security then the exercise may turn out to be a simple tick box exercise for auditors and the board. As a voluntary scheme it will also be interesting to see what level of take up there will be in it, given that many of the FTSE 350 businesses are most likely heavily regulated due to their size and nature," he added.

The UK government initiative follows a report by management consultants KPMG, released earlier this week, that said every one of the FTSE 350 companies were leaking data that can be used by hackers to gain control of their trade secrets or carry out fraud. Firms across the FTSE 350 are inadvertently leaking data by leaving employee usernames, email addresses and sensitive internal file location information online, and therefore able to be used by hackers.

Ironically, KPMG is making exactly the same errors it criticises in others, according to an investigation by security blogger Graham Cluley. Not only are workers' email addresses exposed but a simple Google search uncovered a number of PDF files and PPTs on KPMG's own site that are marked as "confidential".

Quizzed on these findings, a KPMG spokeswoman attempted to sidestep these snafus, arguing that's reports was designed to raise awareness about the leakage issue.

"KPMG put its own site through the same examination as we did other sites," she told El Reg. "We recognise that many websites provide some level of data leakage and with this in mind, the purpose of our report is to highlight concerns so they can be dealt with, rather than highlight individual weak spots. We were careful not to reveal specific weaknesses of any company as it would be inappropriate to do so." ®

Internet Security Threat Report 2014

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
Lawyers mobilise angry mob against Apple over alleged 2011 Macbook Pro crapness
We suffered 'random bouts of graphical distortion' - fanbois
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
US court SHUTS DOWN 'scammers posing as Microsoft, Facebook support staff'
Netizens allegedly duped into paying for bogus tech advice
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Verizon bankrolls tech news site, bans tech's biggest stories
No agenda here. Just don't ever mention Net neutrality or spying, ok?
Inside the EYE of the TORnado: From Navy spooks to Silk Road
It's hard enough to peel the onion, are you hard enough to eat the core?
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.