Cyber defence skills lacking, says report

The UK lacks the skills to protect itself fully from cyber attacks that cost the economy up to £27bn a year, despite a £650m spending boost from the government.

A National Audit Office report published on Tuesday said the number of IT and cyber security professionals had not risen in line with growth of the internet economy.

The NAO said this skills shortage hampered the country’s ability to protect itself online. The shortage was not limited to IT workers. Psychologists and risk managers as well as specialist police, lawyers and accountants were also needed to manage and mitigate threats.

The government has said it intends to overhaul IT teaching in schools and make cyber security part of a future GCSE computer science syllabus. Even so, the NAO said it could take 20 years to address the skills gap.

The report said the UK’s internet economy reached £121bn in 2010 and cyber crime was costing £18bn-£27bn a year.

David Emm, senior security researcher at Kaspersky Lab, an IT security company, said the government was focused on cyber crime.

“The highly sophisticated attacks like Stuxnet have over the past couple of years sharpened the mind of government about what the potential fallout could be from an attack like that,” he said, referring to the first worm to target critical infrastructure.

Mr Emm said the real battle lay with raising awareness among small and medium-sized businesses.

“There’s a danger people will think ‘this is something that applies to big organisations with a public profile’. It’s important that all organisations recognise they have valuable data, whether it’s customer information or intellectual property.”

Skills were not the only problem identified by the report, which also blamed business and consumer behaviour.

The extent of Britain’s cyber problem was hard to gauge because many cyber attacks are dealt with in secrecy as companies avoid making them public for fear of damaging their reputation.

Sony’s share price fell 5 per cent in 2011 when it made public the attack on its PlayStation Network after millions of customer records were stolen.

Mr Emm said companies were starting to get over their fear of disclosure.

“If you keep quiet about it you don’t look like a company that’s been breached, you look like a company that’s been trying to cover things up.”

The most common forms of cyber threat in the UK are malicious software, or malware, online credit card fraud and social network profile hacking.

The Government Communications Headquarters (GCHQ) estimated that 80 per cent of cyber attacks could be prevented through simple computer “hygiene”, such as using passwords that are hard to break. However, in 2012 the top three passwords were “password”, “123456” and “12345678”.

In 2010 the Government allocated an extra £650m of funding over four years for a National Cyber Security Programme.

The NAO report identified the top three spenders as the security and intelligence agencies, which detect and defeat threats, the Home Office, which enforces cyber crime laws, and the Ministry of Defence.

Copyright The Financial Times Limited 2017. All rights reserved. You may share using our article tools. Please don't cut articles from FT.com and redistribute by email or post to the web.