Skip Links | Site Map | Privacy & Cookies

BlogSpot: Why don't organisations adopt cyber security measures?

Tony Dyhouse

About the author

Tony Dyhouse Tony took over as Director of the Cyber Security Knowledge Transfer Network in 2009, continued as Director of the Cyber Security programme within the Digital Systems KTN and now within the ICT KTN. Tony joined DERA (now QinetiQ) in 2000 and became the Director of QinetiQs Operations & Technical Services group, providing a range of managed security services. This role was followed by a spell as Director of the Information Assurance Consultancy group before becoming Director of the Cyber Security KTN. His expertise extends across all areas of Cyber Operations and Information Security, with specialist knowledge in Network Intrusion Detection, Penetration testing, Incident Response and Digital Forensics. Tony's early career was with British Gas, ICL and Fujitsu, spanning over 28 years in the IT industry with experience in Telemetry, the operational management of WANs and LANs and various security technologies. Tony works with a range of public and private sector organisations on matters of Cyber Security, as well as being active in several industry forums and strategy groups. He is a regular contributor to BBC television and of published features and articles

Persistent problems are rarely easy to solve.

It is often necessary to go back to grass roots and question accepted assumptions and theories to make progress.

Why are organisations not adopting appropriate cyber security measures?

ICT KTN and Security Lancaster set about finding out.

Lots of cyber security resource and advice has been levied at all organisations in the UK over the last few years.

We hear about an ever-increasing range of attacks against UK industry, trying to steal identities and intellectual property.

Yet despite increasing assistance, large organisations keep falling victim to such attacks, usually as a result of human gullibility rather than technological genius.

This is understandable due in part to the large number of people they employ - each person effectively forming part of a vulnerability footprint.

So, surely, a smaller organization should find it easier to adopt appropriate advice?

Our Small Business Survey 2012 indicated that this was not the case and that even cyber-savvy SMEs were failing to adopt the 'best practice' measures being regularly suggested.

A key finding in the report refers to the current practice of lumping together any company with between 1 and 250 employees as an 'SME'.

When you think about it, that's clearly not sensible due to the differing requirements throughout that size-band.

Obvious? Then why do we insist on a 'one-size-fits-all' approach for SMEs?

Further, although cyber security professionals insist the sky is falling in, most micro and small businesses don't care because the complexity and the cost of doing something about it would threaten their existence anyway.

They often conclude that the treatment is worse than the illness as it takes away their agility and flexibility - their prime survival advantage.

One thing we had predicted is that the "fear, uncertainty and doubt" expressed in a new language and handed out by the bucket-full has had a negative effect. Couched in this strange language, which is often a source of contention, even for those who claim to understand it, 'attacks', 'hacks' and 'compromise' are not words without inherent emotion.

As one participant commented: "Cyber security is presented in such a scary way I am not about to poke the wasps' nest to see how scary it actually is!"

Small Business Cyber Security Workshop 2013: Towards Digitally Secure Business Growth

Mon 13 May 2013