'Lax practices' to blame for cyber-attacks
by Wieland Alge
Publicly acknowledging cyber incidents and proper regulation are essential to protecting others from falling prey to the same kinds of violation – which is where the EU's cyber security strategy comes in, writes industry expert
The European Commission has finally published its long-awaited cyber security strategy, which reflects the realisation that cyber-attacks are not a purely military matter. Any conflict critical infrastructures can, and will, be targeted.
Governments need to have a clear and immediate understanding of the threat situation, which requires businesses in critical industries to report attacks in full and as soon as they are discovered. This sharing of attacks, vulnerabilities and damage will be essential to developing counter-measures to protect others from falling prey to the same kind of violation.
Since the proposal was first made public, businesses have been opposed to the possible legislation, with protests in relation to trade secrets and data confidentiality, which are quite unfounded. By focusing on their reputation and stock market value only, they are forgetting that what is really at stake in an attack is the customers' data.
By customer, I mean us and that means our data. If our data is being stolen then we need to know about it. We stand to suffer from its misuse. Any piece of sensitive information about us, and our behaviour, could be used in targeted phishing attacks – such as the ones used to hack the New York Times' editorial systems.
Banks, cloud providers, hospitals and even search engine providers are now being labelled as 'Critical Infrastructure'. These companies will have to report to a set of national authorities to be named in each member state under the new proposals. In addition to these authorities, member states will be required to install a Computer Emergency Response Team.
According to the European Union, only one in four companies currently self-regulate and review their information and computer technology procedures. What is more, the EU claims that those businesses that operate in the ICT are not much better, with only 50 per cent of these businesses reviewing their policies.
It is these lax practices that are responsible for the high number of attacks on UK businesses. One-third of all UK small businesses suffered a cyber-attack last year alone. Some 93 per cent of larger businesses came under an attack of some sort in the same year, according to EU digital agenda commissioner Neelie Kroes.
Incidents that can affect the security of information systems range from natural disasters and human error to a system failure – for example, a failed software upgrade. But cyber incidents may also be the result of criminal activity, from people hacking into a network for profit or from terrorists or state-sponsored attacks.
The strategy will achieve cyber resilience, drastically reduce cyber-crime; develop cyber defence policy and capabilities related to the Common Security and Defence Policy; develop the industrial and technological resources for cyber security; and establish a coherent international cyber space policy for the EU.
I am in favour of the upcoming draft proposal and I hope it goes into action. The EU cyber security strategy needs a provision to force companies to acknowledge attacks on their systems and make them public, because to date, leaving them to use their own judgment about whether to publicise such attacks has not convinced them to do so.
Wieland Alge is vice-president and general manager for Europe, the Middle East and Africa at Barracuda Networks