Companies who do not “come clean” about being the victims of cyber crime should face prosecution, according to former defence secretary Liam Fox.
The Conservative MP for North Somerset was speaking at the Royal United Services Institute (RUSI) in a lecture entitled The war of the invisible enemy.
He believes the government should introduce legislation that makes it a legal requirement for companies to inform shareholders and other stakeholders when the organisation has been hacked.
The lecture was aimed at addressing the fact that society has to consider the whole range of cyber vulnerabilities as it becomes increasingly dependent on technology.
According to Fox, cyber crime, cyber espionage and cyber warfare are all part of the same continuum, which has substantial implications for national security.
He said organisations that leave themselves vulnerable to these activities make themselves part of a national security threat.
“On a security and defence level, it is clear to me that one of the greatest of these new threats is cyber crime – including cyber terrorism and cyber warfare,” Fox wrote recently in the Telegraph.
Writing on the same theme as the RUSI lecture, he said that, as society becomes more dependent on technology, everyone has become more vulnerable. “We are being drawn inexorably into the era of the war of the invisible enemy,” he wrote.
Against this backdrop, Fox told attendees of the RUSI lecture that it is necessary to develop proper cyber doctrine and persuade both the public and the military to spend more on the invisible technology that will protect us from some of these threats.
Cyber security central to business
Fox called on all organisations to commit to greater cyber defence and transparency in the event of a breach.
Nicole Eagan, chief executive of security firm Darktrace said greater transparency is an important step in acknowledging the importance of improving the country’s resilience to cyber threats.
“Cyber security is a topic for businesses of all sizes and sectors and increasing awareness of the risks to business leaders is welcome,” she said.
The benefits of the digital world are central to modern business, said Eagan, and cyber security is fundamental to playing the game.
“It is impossible to guarantee that no attack can enter a company network and we recommend companies work on the assumption that there is always some level of hostile presence,” she said.
Eagan said businesses need to get smarter and break away from the legacy approach. “They should shift instead to a more realistic mindset that accepts there will be problems and that things will go wrong, but enables the swift adoption of effective strategies to address an ongoing and inevitable issue.
“Modern self-learning immune systems that look inside company networks can identify in-progress attacks and allow companies to respond before they become a business crisis. This is the future of cyber defence,” she said.
Mitigating the inevitable
Terry Greer-King, director of cyber security at Cisco UK and Ireland, said cyber attacks have become inevitable.
“It is critical that organisations protect the business and their customers by adopting an integrated, threat-centric security policy that addresses the entire threat continuum – before, during and after an attack,” he said.
Given the extent of the issue, Greer-King said businesses of all sizes need greater awareness of the current threat landscape to ensure they are prepared to protect against the risks.
“We welcome the call for greater disclosure around the number and severity of hacks taking place,” he said.
Collaboration between enterprises, government and law enforcement is vital to allow for efficient detection and remediation of cybercriminal activity, said Greer-King.
Proactively addressing cyber risk is crucial, he said, because Cisco research reveals 60% of data is stolen in the first few hours of an attack, while 50% of attacks manage to persist for months – if not years – without detection.
“This means that, by the time a company realises they have been breached, the damage has most likely already been done. Addressing the time it takes to detect an attack will have a huge impact on the severity of an attack – yet greater awareness and industry collaboration is needed to solve this.”
Discrepancy between protocol and trust
Greg Sim, chief executive of security firm Glasswall Solutions said Fox’s comments on the level of threat posed by criminal and state-sponsored hackers reflects what many in the cyber security industry already know to be true.
“Neither governmental legislation nor organisational protocol have been able to keep up with the level of trust we have placed in the security of our online infrastructure, resulting in an incredibly high amount of risk in regards to our personal data, finances and our nation’s security,” he said.
As has been demonstrated by data breaches such as the one at TalkTalk, Sim said cyber criminals are ready to exploit these shortcomings.
To stay one step ahead of the hackers, he said the time has come for businesses to change their mindsets to stop concentrating on detecting known threats to focus on validating “known goods’’.
“As cyber-security continues to rise up the boardroom agenda in 2016 – no doubt emphasised by inevitable high-profile breaches – expect to see more changes to legislation, corporate cultures and practices,” said Sim.