Cyber Threat Needs to be a Shared IssueCEO of Marsh UK & Ireland
Cybercriminals are smart, highly innovative and persistent. The rewards for these criminals are huge. Not only are they after our information; they are after our money, and can and will steal it seemingly whenever they choose.
Our traditional defenses are no longer adequate to protect ourselves. Not only will cybercriminals get into our systems, but, for many systems, they are inside already, assessing which data they have accessed is of use to them and waiting to act.
In 2015, 90 percent of large UK organizations reported breaches, highlighting the urgency of addressing cyber risks.
Cyber Threat a Shared Issue
Actions by government to increase national cybersecurity need to be matched by the private sector. Although individual firms have taken certain measures to ensure their security and ability to recover, more needs to be done. Cyber threat is a shared issue, and there is limited advantage in going it alone.
For example, cyber threats and terrorism are risks that are becoming closer to each other. Information about cybersecurity is within the private sector, while terrorism is handled by the public sector. There must be greater partnership between the two to prepare critical infrastructure for these intertwined risks.
Furthermore, countries are now confronting a stark new reality of threats against physical assets, including electric grids, dams, telecommunications networks, transportation systems and civilian nuclear facilities. Ubiquitous connections to the internet have increased vulnerability in the industrial systems that control these physical assets. As the vast majority of critical infrastructure in many countries is owned and operated by the private sector, it is vital that government and industry lock arms in confronting this risk.
Governments have recognized the economic threat presented by cyber risk and are taking a number of measures to build technological and human resilience across the economy. More than 30 countries—including Germany, Italy, France, the UK, the U.S., Japan and Canada—have unveiled cybersecurity strategies. In February 2014, Chinese President Xi Jinping announced a new national cybersecurity body to coordinate security efforts, and in April 2015, Singapore launched a cybersecurity agency to oversee policies and conduct cybersecurity outreach.
Actions by government to increase national cybersecurity need to be matched by the private sector.
Governments are supporting the development of cyber defenses through support of research and innovation, knowledge and skill-building and by developing awareness of cyber risks. For example, the UK Government’s Centre for the Protection of National Infrastructure provides good practice, technical guidance and facilitates information exchange between sectors, including the energy sector and manufacturers of security equipment for national infrastructure. France’s cybersecurity strategies, coordinated by the National Agency for the Security of Information Systems, are similarly based on promoting cooperation between the public and the private sector.
Public-Private Info-Sharing on Cyber Risk
Governments are fostering collaborative sharing of information between the public and the private sector on cyber threats and vulnerabilities. Understanding the full cyber-risk landscape is difficult for many firms and government-stimulated efforts or industry association stimulated efforts to support threat and response information can be very important. The UK’s Cyber Security Information Sharing Partnership was launched to support the wider objectives of the UK’s National Cyber Security Strategy. Such mechanisms enable companies to confidently and safely share information on cyber threats without revealing corporate vulnerabilities, corporate secrets, customers’ personally identifiable information (PII) or leaving a company exposed to lawsuits, but also governmental or regulatory investigations. They also allow companies within the same industry to share information without concerns of apparent collusion.
Cooperation with the government, including law enforcement, will help preempt and bring cyber criminals to justice. Private industry information sharing with law enforcement will ensure that intelligence on breaches and attacks reaches bodies through which cybercriminals can be apprehended.
Police and law enforcement play a critical role in the fight against cyber threats, and underline the need for a joined-up approach between industry and government bodies. Currently, cyber incidents are underreported, and in order to bring cases to the attention of the police, organizations should look to regularly report crime and share information that they are aware of. With more crimes reported and greater cooperation to national bodies as UK’s National Cyber Crime Unit and international agencies such as the European Union Agency for Network and Information Security, law enforcement will be able to bring more cybercriminals to justice, growing the prosecution rate.
To effectively combat cyber threats, the government and private sector need to adopt a mindset that we are all in this together in an urgent fight against a common enemy. They are the hidden enemy, operating behind the scenes and inside our organizations and our devices, and incredibly difficult to detect, take down and punish.
As of now, no major group has been prosecuted. Losing is potentially catastrophic and ultimately avoidable. Winning allows us to preserve our society and our daily life as we know it.