A new Detica study analyses interviews with IT decision makers in 100 UK companies with a turnover in excess of £350m per year. Eighty-five percent of respondents believe that cyber attacks will increase in the future; 5 percent believe they will decrease. But despite acknowledging the increasing threat, 89 percent of the respondents are fairly or very confident that they are well-equipped to prevent targeted attacks by outsiders. This apparent contradiction can only be explained by the optimism bias, the belief that when bad things happen, they won’t happen to me. “2011 has clearly led businesses to re-evaluate the level of cyber threat and impact, but it seems they are slower to recognise their true level of vulnerability,” comments technical director Henry Harrison.
But despite this general reluctance to admit personal vulnerability, the survey does show a slowly increasing acknowledgement of the importance of cyber security. Over the last year, belief that company boards do not appreciate the risk posed by cyber attacks has fallen from 38 percent to 29 percent, while the opposite view has risen from 40 percent to 57 percent. Nevertheless, it will still take something dramatic to make the board take the risk more seriously: 26 percent suggest it would require a successful attack against their own company.
One positive feature, suggests Detica, is that business is open to the government’s cyber security strategy launched six months ago (November 2011) which stressed the importance of government and industry working together and sharing security information. Seventy-five percent of companies either are, or would be interested in becoming, engaged with government in addressing such issues. “Clearly,” says the report, “there is an opportunity here for the Government to build on the commitments made in the Cyber Security Strategy to work with British businesses to share information on threats in cyberspace, manage cyber risks better, and capitalise on unique Government experience.”
Detica’s conclusion is that progress in cyber security is being made, but that more work needs to be done. “The results of this research suggest that there is an opportunity for the Government to expand the scope of its partnership activity to include many more companies.” But the optimism bias remains an overall problem. The report points out that successfully detecting modern covert attacks requires investment in advanced analysis techniques, and that this investment is unlikely to be approved where the company is already confident in its defenses. “Our research suggests that this confidence may not be challenged unless a successful targeted attack is detected: a chicken and egg situation.”