Feeds

UK gov: Brit biz barons, get your privates in check before the spooks arrive

MI5 and GCHQ rub hands with glee at FTSE350 security audit

High performance access to file storage

Spooks from GCHQ and MI5 will be given insider access to the UK's top 350 companies in a bid to reduce any damage caused by hackers wreaking havoc upon Blighty-based businesses.

A letter to the FTSE 350 chairmen – signed by MI5 director general Andrew Parker, GCHQ director Iain Lobban and Universities Minister David Willetts – argues that cyber attacks are causing increasing damage to the UK's economic well being.

The "Cyber Governance Health Check" is built on the UK government’s existing Cyber Security Strategy, which aims to make the UK one of the best places in the world for e-business, viewed as a key factor in fuelling economic growth.

Company chairmen and chairs of audit committees will be asked to complete a questionnaire to assess the cyber awareness of their businesses.

Firms that agree to participate will be able to review the results of their own efforts against anonymised results from their peers; a move seen as helping big names identify potential flaws in their cyber security procedures. If successful, the voluntary scheme would help to promote best practice across industry as well as setting a benchmark by which individual cyber security programmes might be judged.

The programme, expected to begin in November, aims to push firms towards developing a more comprehensive and better-thought-through risk management strategy. In some ways the scheme resembles the self-assessment audits that smaller retailers are obliged to complete under the credit card industry's PCI DSS security scheme.

"This seems to be like PCI but with membership of the FTSE 350 as the qualifier," security blogger and CISO Quentyn Taylor told El Reg

"Cyber security is vital for your business and for the country as a whole. The cyber threat is diverse and continues to grow, from those looking to seize commercial advantage and intellectual property to those looking to destroy critical data and undermine the integrity of systems," the letter from government and spooks states.

"We very much hope to secure your support for the Cyber Governance Health Check which we believe will be of real benefit both to your company and broader UK interests."

Malcolm Marshall, global head of information protection and resilience at KPMG, who worked on KPMG’s own research into the cyber vulnerability of the FTSE 350, commented: "The Government’s initiative is an integral part of the fight against cyber crime. By building an understanding of UK plc’s cyber defences, organisations will be in a better position to make the decisions and take the actions necessary to prevent data theft and ensure Britain is not just open, but safe, for business."

Brian Honan, an experienced infosec consultant, told El Reg that unless the cyber government health checks are regularly carried out they will have little benefit. He pointed out since the scheme is voluntary take up rates remain uncertain.

"On the face of it the proposed scheme may have some merit, however just as in real life a once off health check may not give any long term benefits," Honan explained. "A point in time health check by your doctor may not necessarily prevent you having a heart attack 12-18 months later if there is not an on-going health regime."

"Similarly a point in time cyber security health check may give a false impression of security to the board which could prove fatal at a later stage. If there are no on-going checks and subsequent steps to improve security then the exercise may turn out to be a simple tick box exercise for auditors and the board. As a voluntary scheme it will also be interesting to see what level of take up there will be in it, given that many of the FTSE 350 businesses are most likely heavily regulated due to their size and nature," he added.

The UK government initiative follows a report by management consultants KPMG, released earlier this week, that said every one of the FTSE 350 companies were leaking data that can be used by hackers to gain control of their trade secrets or carry out fraud. Firms across the FTSE 350 are inadvertently leaking data by leaving employee usernames, email addresses and sensitive internal file location information online, and therefore able to be used by hackers.

Ironically, KPMG is making exactly the same errors it criticises in others, according to an investigation by security blogger Graham Cluley. Not only are workers' email addresses exposed but a simple Google search uncovered a number of PDF files and PPTs on KPMG's own site that are marked as "confidential".

Quizzed on these findings, a KPMG spokeswoman attempted to sidestep these snafus, arguing that's reports was designed to raise awareness about the leakage issue.

"KPMG put its own site through the same examination as we did other sites," she told El Reg. "We recognise that many websites provide some level of data leakage and with this in mind, the purpose of our report is to highlight concerns so they can be dealt with, rather than highlight individual weak spots. We were careful not to reveal specific weaknesses of any company as it would be inappropriate to do so." ®

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.