The BBC report is surprisingly short on details. It says that “It is estimated that UK businesses lose £21bn a year to cyber crime;” but doesn’t say where those figures come from, nor that they have been questioned. Earlier this year, for example, a study led by Cambridge University’s Professor Ross Anderson and commissioned by the Ministry of Defence, concluded that security is already back-to-front: “we should perhaps spend less in anticipation of computer crime (on antivirus, firewalls etc) but we should certainly spend an awful lot more on catching and punishing the perpetrators.”
One BBC point that few will question, however, is that “a survey in May by BAE Systems Detica suggested nearly nine out of 10 UK businesses were very or fairly confident about their defences. Iain Lobban, the head of GCHQ will tell business leaders that such confidence is misplaced with potentially major implications for the economy and customers trust in online services.”
The optimism bias is well known in security. It translates into the belief that bad things only happen to other people. GCHQ clearly feels that it has to stress the severity of the threat in order to be taken seriously and counterbalance this optimism bias. However, the proximity of the Communications Bill may also be relevant. In July, ex-L0pht Heavy Industries member Space Rogue, now a threat intelligence manager at SpiderLabs, recognized the correlation between severe warnings and new bills. “That,” he told Infosecurity, “is a connection you can easily make in your head, but one that is difficult to prove in practice.”
Nevertheless, there is a severe threat out there, and it seems to be getting worse. Today, Terry Greer-King, UK managing director for Check Point, quantified this. “Earlier this year,” he said, “we found that UK companies were reporting an average of 68 new security attacks every week, and that successful incidents were costing around £150,000 each.” Separate figures from Kaspersky Lab suggest that 48% of companies are insufficiently protected against theft of IP, while (contradicting the Detica figures) 51% of business representatives believe their security could not stop a serious attempt at industrial espionage.
Kaspersky’s senior regional researcher David Emm suggested to Infosecurity that the ‘potentially major implications for the economy’ mentioned by the BBC are in reality twofold. “The problem for individual businesses suffering a major security breach can be severe,” he said. “But the problem for the British economy as a whole is a loss of trust – that trade in general might decide that Britain simply isn’t safe, and go elsewhere.” This is perhaps the main threat that GCHQ hopes to counter.
UPDATE:
Since this report was written, the BBC has updated its report with more details. “The meeting will be addressed by William Hague, the foreign secretary, and Vince Cable, business secretary,” the report now says.
This may be the same meeting referred to by BAE Systems Detica who this afternoon announced that it welcomes “the government’s new Cyber Security for Business programme, which will be launched by cabinet ministers at 5:30pm this afternoon.” Detica is particularly pleased at the involvement of business. “It is heartening,” said Dave Garfield, head of cyber security, “that the Government is targeting this initiative at CEOs and Board members who are the real decision makers in understanding the risk and putting appropriate investment and resources in place to combat this pervasive problem."
The BBC report also now mentions the appeal issued jointly by MI5 and GCHQ – a themed call for innovative research proposals for security and intelligence applications. “This call is keen to receive proposals from organisations that have not previously worked with the security and intelligence agencies, particularly small and medium sized enterprises (SMEs).” It is believed that this is the first time the security services have reached out to business in this manner.