Font Size: A A A

Home > News > Case Studies > Cyber audit comment

Case Studies

Cyber audit comment

Though the Government’s strategy for cyber security is at an early stage, activities are already beginning to deliver benefits. That’s according to a National Audit Office report.

The cost of cyber crime to the UK is estimated to be between £18 billion and £27 billion. The UK Cyber Security Strategy, published in November 2011, set out how the Government planned to deliver the National Cyber Security Programme through to 2015, committing £650m of additional funding. The strategy placed greater emphasis on the role of the public and industry in helping secure the UK against attacks and also the opportunities to UK business from a growing market in cyber security.

Among progress reported so far, the Serious Organised Crime Agency repatriated more than 2.3 million items of compromised card payment details to the financial sector in the UK and internationally since 2011, preventing a potential economic loss of more than £500 million. In the past year, moreover, the public reported to Action Fraud over 46,000 reports of cyber crime, amounting to £292 million worth of attempted fraud.

The NAO identifies six key challenges faced by the Government in implanting its cyber security strategy in a rapidly changing environment. These are: the need to influence industry to protect and promote itself and UK plc; to address the UK’s current and future ICT and cyber-security skills gap; to increase awareness so that people are not the weakest link; to tackle cyber crime and enforce the law; to get government to be more agile and joined-up; and to demonstrate value for money.

The NAO recognises, in particular, that there are some challenges in establishing the value for money of the cyber security strategy. There is the conceptual problem that, if cyber attacks do not occur, it will be difficult to say the extent to which that was down to the success of the strategy. Also how to determine the relative contribution to overall success or otherwise of different components of the strategy. And: how to assign a value to the overall outcome, to set against the cost of the strategy. The NAO says that the Government has work under way to measure the benefits of the strategy.

The report is designed to set the scene in an area likely to be of continuing interest to the Committee of Public Accounts. Although that committee has not specifically examined the issue of cyber-security, it raised concerns about cyber-security in relation to the Government’s plans for smart meters, which will enable energy suppliers to collect meter readings over the internet, as well as pointing to a lack of detail on cyber security plans in the Government’s 2011 ICT strategy.

Amyas Morse, head of the National Audit Office, said on February 12: “The threat to cyber security is persistent and continually evolving. Business, government and the public must constantly be alert to the level of risk if they are to succeed in detecting and resisting the threat of cyber attack. It is good that the Government has articulated what success would look like at the end of the programme. It is crucial, in addition, that progress towards that point is in some form capable of being measured and value for money assessed.”


Some 15 government bodies are working on four objectives: to tackle cyber crime and make the UK one of the most secure places in the world to do business; to make the UK resilient to cyber attack and be better able to protect its interests in cyberspace; to help shape an open, stable and vibrant cyberspace which the UK public can use safely; and to build the UK’s knowledge, skills and capability to underpin all cyber security objectives.

In the strategy, the government describes what success would look like at the end of the programme. This includes individuals knowing how to protect themselves from crime online; critical national infrastructure being protected against cyber attack; and working relationships with other countries, business and organisations around the world being strong and well-established. Visit the NAO website, which is at

About the National Audit Office

The NAO scrutinises public spending for Parliament and is independent of government. The Comptroller and Auditor General (C&AG), Amyas Morse, is an Officer of the House of Commons and leads the NAO, which employs some 860 staff. The C&AG certifies the accounts of all government departments and many other public sector bodies.


Ross Brewer, managing director and vice president, international markets, LogRhythm , commented:
“While the report paints a pretty bleak future for the nation, it should in fact be welcomed as evidence that the government is finally catching up to the true risk of online attacks. It’s also encouraging to see that the government is continuing in its line of investing in the next generation of IT specialists, following last year’s announcement that it would be plugging £8 million into the development of security skills at universities to help battle against cybercrime.

“Reactive IT defences are undeniably outdated, and as Amyas Morse rightly stated today, organisations both public and private must be constantly aware of the cyber threat if the nation is to have any hope at protecting itself against attacks. As our world becomes increasingly connected and as data volumes grow at unprecedented rates, the potential for intellectual property or other critical information to get compromised in the chaos, or exposed to attacks, grows exponentially. However, being ‘too proactive’ – such as in the form of pre-emptive strikes, as have been previously recommended by other government bodies – could incite disturbing consequences such as the execution of even more sophisticated state-sponsored attacks on the UK’s critical infrastructure.

“Rather than launching pre-emptive cyber attacks, or relying solely on perimeter IT defences, we must start to introduce mechanisms that give context to data and facilitate a deeper understanding of all network activity, as it happens. In doing so, we must turn our mindset towards proactive, continuous monitoring of IT networks to ensure that even the smallest intrusion or anomaly can be detected before it becomes a bigger problem for all – after all, you can only defend against that which you can see. Hopefully this report will help enterprises and public entities acknowledge the level of constant awareness that is required to protect the data that they are entrusted with.”

And Paul Davis, director of Europe at FireEye – an IT security product firm – commented: “It is hardly surprising that we are deemed unprepared to tackle current cyber security threats – as until recently, there has been a long-standing culture of complacency when it comes to proper cyber defence. While it is true that our national bank of computer experts is light in comparison to the number of cybercriminals attempting to break into our networks, there is also the issue that widespread overreliance on obsolete security tools and low awareness of the advanced tactics used by hackers is leaving too many networks wide open to attack.

“The stakes have never been higher, and cyber security is no longer a conversation restricted to the IT team – it is an enterprise-wide concern that must be treated as such. The advanced capabilities of hackers and the increased storage of highly sensitive data has created a perfect storm for cybercrime, and it is essential that board level executives are able to gauge the vulnerabilities within their organisation, and understand what investments must be made to combat that security risk.

“It is a great step forward to propose greater promotion of science and technology in schools to develop the next generation of cyber security experts, but what happens in the meantime? Organisations, particularly those with vulnerable intellectual property or critical national infrastructure to defend must urgently up the ante on security to avoid the potentially devastating consequences of attack. Constant monitoring and proactive threat mitigation are essential for bulletproof protection. With so many attacks reported daily, the odds really are stacked against organisations – and it’s time to fight fire with fire.”

Thurstan Johnston, sales engineer at cyber security product company Faronics , said: “This report rightly points out just how complex it has become to thwart cyber crime in the UK. There is no question that a shortage of skilled professionals is extremely detrimental to our cyber defence effort and it is something the government seriously needs to address if it wishes to defend itself from today’s sophisticated attacks.

“However, there is not just a skills gap to consider, but also a huge awareness gap that needs to be filled. Many organisations still believe that they are sufficiently protected with just a good security package, which not only indicates blazing ignorance, but also a lazy approach to combating cyber crime that could have expensive consequences. Threat mitigation has become an holistic endeavour, with skills, education and awareness being the essential elements.

“The lack of awareness within organisations is frightening, especially when considering just how much damage attacks can inflict. Organisations have had it drilled into them that anti-virus, firewalls and other perimeter security tools are adequate, however it is now the skills and awareness gap that needs to be focused on. If the government can begin educating today’s younger generation on both these deficiencies the UK will be in a much stronger position when faced with tomorrow’s cyber attacks.”

And Jarno Limnell, Director of Cyber Security for Stonesoft, said: “The UK NAO report is a breath of fresh air, especially in light of last week’s misguided proposal by the European Union which suggested that cyber threats can be solved by creating more statutes, directives and restrictions. Correctly, the NOA doesn’t just recommend throwing money at the problem. The right approach should be based on a strategic and technical understanding of the risk. This is the only way that the appropriate levels of defensive and offensive cyber security measures can be implemented and the relevant expertise acquired or nurtured. This leads to both cost efficiencies and better national security defences against cyber attacks.”

Mark James, Technical Director for ESET, said: “Cybercrime is often much more accessible to organisations than physical crime and we absolutely need to improve our fight against it. We need to start at the grass roots, and businesses and individuals have to be more aware that any data – however unimportant it may seem – is valuable to someone. To increase this awareness the Government and leading IT enterprises have a responsibility to be more involved in sharing their knowledge and educating others. But this is a complex problem – not only does it require education, but a change in the laws when it comes to punishing those involved.”

David Emm, senior security researcher at Kaspersky Lab, said: ““The report by NAO has revealed more about the depth of the UK cybercrime issue and it is clear that there is certainly room for improvement. Last year, our survey of 3,300 senior IT professionals, found that cyber-threats are regarded as the second most dangerous risk facing organisations today yet only 59 per cent of companies feel they are prepared for them.

The government is keen to get the message out to businesses that they need to take cyber security seriously, using the expertise of GCHQ to engage with businesses. The launch of the GCHQ scheme encompasses threats to the Government’s own systems, but also the ‘critical infrastructure’ run by private companies. Initiatives to broaden the awareness of cybercrime must continue as targeted attacks are increasing. Organisations of all kinds and sizes need to understand that they have valuable data that is valuable to cyber-criminals.”

Bernard Zelmans, General Manager EMEA at IT security management product firm Firemon said: “Any initiative that helps encourages business executives to take proactive measures to identify what assets are at risk on their network versus reacting and patching after a breach has occurred can only be a good thing. In the US the Department of Homeland Security recently announced the continuous monitoring initiative and it’s encouraging to see similar initiatives being taken on a European level to address the ever-growing threat of cybercrime.

Clearly, the traditional approach of reacting to an attack and patching the vulnerability is not preventing attacks and all organisations need to become more proactive and find and assess potential risks before attackers do. The technology to tackle these threats and put an early warning system in place to ensure that consumer data is protected is available today, yet some businesses still prefer to take a take a Russian roulette approach to guarding their customer’s private data.”

Geoff Collins, vice president of product management at UK IT firm 1E commented: “The National Audit Office paints a bleak picture about the UK’s readiness to fight cyber attacks, and it’s true that hackers have had the upper hand over recent years. Indeed, the report states that there were a staggering 44 million cyber attacks in 2011 alone, costing the country more than £27bn.

“While it’s important to have specifically trained staff to counter the growing hacking threat, the UK certainly can’t wait 20 years for the next generation of cyber-security experts to be inspired, educated and trained. Instead UK organisations need to think of immediate ways they can bolster their defences – and this isn’t just about deploying more firewalls and anti-virus software.

“All too often businesses think they can reduce their exposure to threats by adding more and more IT security solutions; in reality these disparate deployments leave gaping holes in the network, which hackers know all too well how to exploit. A complementary, yet often overlooked approach, is to ensure computer systems are tightly managed and properly updated, with regular OS patching, application whitelisting, upgrading of legacy (potentially highly vulnerable) applications as well as the monitoring use of admin privileges. These four systems management activities are proven to mitigate 85 percent of all cyber-attacks . By getting their systems in order, and harnessing the existing skills and toolsets of their systems management teams, businesses can beef up their security overnight. Strong systems management is strong security.”


Related News