London: The UK Government has urged business senior leaders to step-up their response to cyber threats.
Its initiative to present cyber security as a business risk, not just a technical issue, was welcomed immediately by professional service security consultants.
The Department for Business says that for the first time, the Government and intelligence agencies are directly targeting the most senior levels in the UK's largest companies — company boards, their Chairs and Chief Executive Officers — and providing them with advice on cyber security threats.
The new Cyber Security Guidance for Business (below) looks at how to safeguard a company's most valuable assets, such as personal data, online services and intellectual property.
It is designed to reinforce the idea that this is a strategic risk that needs to be managed at board level.
Business Secretary Vince Cable said, "Cyber security threats pose a real and significant risk to UK business by targeting valuable assets such as data and intellectual property. By properly protecting themselves against attacks companies are protecting their bottom line.
"Ensuring this happens should be the responsibility of any chief executive or chair as part of an approach to good corporate governance which secures a business for the long-term."
The guidance, produced by CESG (the Information Security arm of GCHQ), the Department for Business and the Centre for the Protection of National Infrastructure (CPNI), will help the private sector minimise the risks to company assets.
It builds on a key objective within the Government's Cyber Security Strategy to work hand in hand with industry and make the UK one of the most secure places in the world to do online business.
Commenting on the launch, Mike Maddison, EMEA head of security and resilience at Deloitte, said, "Deloitte welcomes this positive step from the Government, which recognises the seriousness of cyber security for UK Plc by raising it not just as a technical risk, but also as an overall business risk. Most businesses recognise that the volume and sophistication of cyber attacks is rising, but many are still struggling to fully understand the increased threat, let alone respond effectively.
"Whatever sector they operate in, companies need to be aware not just of potential future attacks, but detect and respond to ones that might already have happened. Attacks exist that can lie undetected for years, all the while leaking commercially sensitive information and intellectual property, so it is vitally important that organisations regularly review their systems as well as appropriately invest in better intelligence.
"Becoming cyber intelligent is a strategic imperative for all UK businesses that rely on the internet. Impacts of a cyber breach can range from reputational damage to loss of competitive advantage, a drop in share prices and regulatory fines. People in the most senior positions need to understand this and plan for the worst."
Mark Brown, Director of Information Security at Ernst & Young, said, "(The) launch is a welcome move by government and serves as a wake-up call to UK Plc on the need to elevate cyber security on the boardroom agenda.
"Recent high profile breaches and industry research shows an over confidence in organisations' approach to the subject which remains focused on driving IT compliance. The changing risk landscape, now more than ever, requires a shift in focus to recognise the strategic importance of protecting a company's information assets.
"This announcement by government demonstrates concern that UK Plc is not addressing the problem of information security appropriately. As such, their move outlines a new approach involving collaboration between public and private sector which is required to collectively tackle the ever increasing threats posed by organised criminals.
"Although this is an appropriate short term solution, the longer term cure for this problem surely involves re-evaluating the skills and knowledge gap in industry rather than government intervention."