Cyber security is not just about information


Governments have failed to enforce existing good laws (and there are a few), modify defective laws and introduce new essential legislation. Businesses have consistently tried to avoid spending money on cyber risk control, There has been a lack of appropriate training and emploment for specialists since the ending of the Cold War. The result is that cyber security has moved backwards since 1990 at almost the same rate as cyber crime has increased. BSD Editor

The IET welcomes the Government announcement of new investment in a £1.9bn government cybersecurity strategy but is calling for the emphasis to be firmly on education and behaviour change, which needs to be led by business leaders.


Prof Roy Isbell, the IET’s cyber security expert, said: “Any organisation is at risk of being hacked, however good their security measures. But while most have plans for how to cope with a hacking incident, very few CEOs have seen or understand the plan.

“Similarly, organisations typically invest millions in cyber security measures and protection, but frequently only train one or two members of staff. Having the plans is not enough – it’s far more important that people at all levels of an organisation, including its leadership, can implement them effectively. Of vital importance, is the ability of organisations and management to be aware of the extent of cyber security within their organisation to develop an effective strategy. Cyber security is not just about information, it is about all areas of the business; including automated manufacturing processes, which if hacked could lead to a significant loss of production.

“It’s also vital to understand the risk of social engineering and that humans are the ‘weakest link’- so, for example, organisations need to rethink the way employees use the internet at work, including using work email addresses for personal use. And most organisations have two or three levels of access to data, usually based on the internal company hierarchy rather than on individuals’ ‘need to know’.

“Another common mistake organisations make is to have ‘blanket’ policies applied indiscriminately to all kinds of data sets. This is because they often don’t understand the value of their data or how to cost the risk of being hacked so fail to create data protection policies based on the value of their data.

“As part of the Government’s new cyber security strategy, there is a real opportunity to educate organisations in how they approach and prioritise cyber security planning. Training a new generation of cyber security experts is vital – but so is making sure that today’s leaders understand and can tackle the extent of the challenge we face.”

Leave a Reply