Should big business be made to declare major cyber-attacks?

By Kevin Bailey, Head of Market Strategy.

Should Labour regain power next year, big businesses could be forced to publicly admit to major cyber-attacks from criminal gangs or state-backed terrorist groups, according to a recent article by Mark Leftly in The Independent. The party's defence spokesman Vernon Coaker said that he believed it should be "a legal requirement" to disclose attacks, but admitted that it is "a balance between [needlessly worrying the public] and security”. 

Politics aside, surely CIOs of large organizations are concerned for the same reasons as Mr Coaker? Should big organizations disclose attacks? And if they do –what are the consequences? Reputational damage from a cyber-attack can be hugely detrimental, but the fact is that today smaller companies are increasingly vulnerable to attacks as hackers have become increasingly sophisticated at attacking the weak point in a value chain; there seems to be much to learn from greater transparency in the industry.

Going back to Coaker’s worries about balance and security, this proposed policy should surely be applied to public sector organizations as well? In the same way that “white hat hackers” - infiltrate organizations to test cyber security readiness in businesses to aid development of cyber security technology, sharing incidents of major attacks will help to further understanding of the strategies and technologies used by the “black hat hackers”. With further understanding comes an increase in awareness and it’s crucial that all businesses become more conscious of their vulnerability to cyber security risks. SMEs are increasingly at risk of cyber-attacks due to a lack of awareness, limited security measures and resource and the often overlooked human element (the Enemy Within). Whilst larger companies are more likely to invest in data protection software and cyber security policies, smaller companies have a more fragmented infrastructure and are too often lax with data protection.

This increase in awareness should already be swelling within the SMB community, following the recent ICO regulations that mean small companies that don’t comply with data protection regulations risk incurring crippling fines. But do small companies really pay attention to ICO regulations? How can the government increase understanding of the regulations and help a smaller organization prepare their IT infrastructure for more stringent data protection policies? Perhaps through bigger businesses being prepared to share incidents of cyber-attacks, UK business as a whole, can evolve in its better understanding of cyber security. But business is business, and reputation matters, so I think we can expect some opposition to this proposed policy.