01 November 2016
The IET welcomes the Government announcement of new investment in a £1.9bn government cybersecurity strategy but is calling for the emphasis to be firmly on education and behaviour change, which needs to be led by business leaders.
Prof Roy Isbell, the IET’s cyber security expert, said: “Any organisation is at risk of being hacked, however good their security measures. But while most have plans for how to cope with a hacking incident, very few CEOs have seen or understand the plan.
“Similarly, organisations typically invest millions in cyber security measures and protection, but frequently only train one or two members of staff. Having the plans is not enough – it’s far more important that people at all levels of an organisation, including its leadership, can implement them effectively. Of vital importance, is the ability of organisations and management to be aware of the extent of cyber security within their organisation to develop an effective strategy. Cyber security is not just about information, it is about all areas of the business; including automated manufacturing processes, which if hacked could lead to a significant loss of production.
“It’s also vital to understand the risk of social engineering and that humans are the ‘weakest link’- so, for example, organisations need to rethink the way employees use the internet at work, including using work email addresses for personal use. And most organisations have two or three levels of access to data, usually based on the internal company hierarchy rather than on individuals’ ‘need to know’.
“Another common mistake organisations make is to have ‘blanket’ policies applied indiscriminately to all kinds of data sets. This is because they often don’t understand the value of their data or how to cost the risk of being hacked so fail to create data protection policies based on the value of their data.
“As part of the Government’s new cyber security strategy, there is a real opportunity to educate organisations in how they approach and prioritise cyber security planning. Training a new generation of cyber security experts is vital – but so is making sure that today’s leaders understand and can tackle the extent of the challenge we face.”