For cyber security professionals, annual reports on the cyber landscape have become a familiar part of the calendar.
Well known examples from commercial sources include Symantec's Internet Security Threat Report and Verizon's Data Breach Investigation Report. These contain useful material especially as, year on year, they build a picture of evolutionary changes and trends.
Governments also produce annual reports. Australia publishes the Cyber Security Survey while in the UK there is the Cyber Security Breaches Survey. Whether commercial or public sector these reports contain much of interest. Unlike their commercial counterparts the governments’ use of surveys gives a view of cyber security as seen from target and victim organisations. The result is less of a focus on threats, and more of a focus on the preparedness of respondents: governance and boardroom awareness; levels of investment; how information risk is managed; and the costs of being breached.
Apart from the more obvious extracts quoted as headlines - “69% rated cyber security as high priority”; “only 13% of all businesses set cyber security standards for their suppliers”; and so on - there are other figures which tell their own story. One example is in the UK’s recently published Breaches Survey regarding the use of cyber security guidance published by the government. According to the survey just four percent of respondents had referenced this source. Four percent.
Why is this surprising? With only one reputation to lose, the government – especially CESG until 2016 and the National Cyber Security Centre (NCSC) since then – takes great care only to publish what it knows to be right. And this applies to its range of advice and guidance they produce from frameworks such as the 10 Steps to Cyber Security through to device-specific guidance. The result is a portfolio of material of high quality.
So why, according to the Survey, is the use of these high quality materials so low, especially compared with other sources such as external security consultants? One reason which the Survey also surfaces is a lack of awareness of the source or the individual schemes. At first sight this might appear odd - there’s never a lack of awareness of increases in duty or tax, or changes to healthcare or to education so aren’t other government activities similar? Instead, the evidence points to a long-standing government practice of investing in the development of, say, guidance and then launching it. But then not promoting it further. In marketing terms we might say there is an excellent product, at an irrefutably good price (free), placed fairly well but then not promoted.
Perhaps there is a reason. Part of the NCSC’s job is to bring together the government’s guidance and advice into one place to make it more accessible, but the NCSC only came into being in autumn 2016. While this is true, the same advice and guidance was previously available for several years from gov.uk. And here is a challenge: it is not that the material isn’t available, it’s that awareness of it (and its quality – reputation only comes with exposure and use) that remains low.
Leaving their use to one side, the Survey also describes business awareness of the government’s cyber security initiatives and standards, and this provides another pointer to the possible cause of low usage. Launched in 2012, the 10 Steps to Cyber Security which is seen by many as seminal has an overall awareness level in business of 13%, while the more recent Cyber Essentials Scheme is at 8%. As a comparator, the most obvious non-government source – ISO 27001 – was known to 21%, a figure rising to 57% among large businesses who are its target market. Neither the 10 Steps nor Cyber Essentials has received or benefitted from a traditional marketing campaign.
Cyber Aware by contrast was known to 21% of respondents. Previously called Cyber Streetwise, Cyber Aware has received investment from the government and is therefore oddly unique in this context. But the result is that it is better known than other initiatives.
If this logic is correct the message for the Government is clear. Year on year investment in the development of guidance, advice and practical assurance schemes has produced results - guidance, advice and schemes, that is. But the investment mustn’t stop at the launch event. Telling an intended audience once that something new and excellent has been produced is not enough. In effect, there is a risk that the investment is squandered.
While it might not align easily with the government’s sense of propriety - especially in a time of austerity - there is, nonetheless the need to use marketing campaigns to get the messages out there. In this way, the excellent trove of guidance produced for the benefit of UK companies stands a chance of really making a difference.
Protect your business from cyber threats by trying our CyberScore software today.