MI5 and GCHQ send cyber checklist to FTSE350

Posted on Jul 28, 2013


20130728 – London

British security services urge a cyber-security check for UK companies

MI5 GCHQ FT350 cyber securityThe heads of MI5 and GCHQ have written to the chairmen of some of the UK’s largest businesses as part of an effort to increase corporate cyber security. This may be seen by external observers as an attempt to deflect some of the unwanted attention these agencies recently received, to focus attention on companies instead.

The initiative comes as Lakeland, the kitchenware retailer, revealed that its website was compromised by a serious cyber-attack this week. According to the retailer, hackers gained access to two encrypted databases.

The director-general of MI5 and the director of GCHQ have urged all FTSE 350 chairmen to take part in completing a cyber-governance checklist. The check-list, in the form of a questionnaire, will aim to gauge how well each company is keeping customer information and intellectual property secure. The letter emphasises the need for the questionnaire to be completed by the chairman, and not by any delegated officers: “by delegating the completion of the Tracker (eg to your chief information officer), your results may overlook existing internal vulnerabilities linked to governance”.

It is suggested that the results will enable companies to evaluate their performance against those of other companies, with results to be published later this year. Unfortunately, this exercise is purely a tick-box exercise, which will most likely produce highly spurious and relatively unusable results. It also comes after revelations last month made by the Guardian newspaper that security agencies were allegedly involved in monitoring the computers of foreign politicians and officials who took part in G20 summit meetings in London in 2009.

Companies should give cyber-security much more attention, given recent incidents of intellectual property theft from hackers in developing economies. Companies that have not done so, should create a CSO (chief security officer) role, with similar status and remuneration to that of the CFO, with cyber-security as its main focus. A company’s financial performance cannot be maintained if its intellectual property and commercial data is stolen.

Cyber securityQuantum Dawn 2

Last week findings were released of the Quantum Dawn 2 mock cyber-attack in the US, which involved 50 institutions including industry entities of varying sizes as well as the Department of Homeland Security and the FBI.

As businesses migrate to using cloud-based systems, an awareness of cyber-security is even more important. The large cost savings that cloud-based systems offer are only worth it if businesses take the security of their data and intellectual property seriously enough, and have security measures in place to ensure business continuity.