Cyber security vetting scheme is right move by government, but SMEs need more attention

The security industry has welcomed the UK government's latest plans to establish a new Cyber Security Suppliers' (CSS) scheme, to attempt to boost the UK's annual cyber security exports past £2bn in the next three years. However, a lack of attention paid to SMEs may cause problems for the economy in the coming year.

The plans were outlined by Francis Maude on Thursday on the two-year anniversary of the launch of the Cabinet Office's £850m Cyber Security Strategy. They will see workers on projects involving securing UK government networks stringently tested and accredited by the Institute of Information Security Professionals (IISP), the Council for Registered Ethical Security Testers (CREST) and Royal Holloway University's Information Security Group (ISG).
Furthermore, businesses that have supplied government departments with security products would now be able to publicly state that they have done so, with the hope of allowing innovative businesses to show off their successes and gain more lucrative contracts as a result.
Malcolm Marshall, head of cyber security at KPMG, said more rigorous accreditation would benefit the UK's cyber defences, but with the caveat that "board-level debate" would be required in order to properly understand the threats posed to UK companies.
"It's fair to say that organisational cyber security standards are keenly awaited by the security community and by business at large, but to work effectively they must be pragmatic and recognise the challenges of smaller firms trying to raise their cyber security game," Marshall said, adding that the UK would have to ensure it does not become out of kilter with the international security debate.
"It is also worth reminding ourselves that commerce in cyberspace is global, and that any UK standard must build on recognised international approaches, with a weather eye on US initiatives. We need to resist the temptation of the UK ploughing its own furrow."

The government's Cyber Security Information Sharing Partnership (CISP), which sees UK businesses pooling security intelligence into a so-called 'Fusion Cell' so firms can collaborate on solving pressing security issues and vulnerabilities, will also expand. In the coming year, the scheme will double in size, with 500 firms set to be granted access to the scheme.
BAE Systems Detica managing director Martin Sutherland said CISP's expansion made the UK a mighty force in the battle against cyber threats. "Traditionally, governments and industry have taken a largely sectoral approach; where the UK's CISP is unique is that it is a world-leading cross-sector initiative and exploits the commonalities between different sectors to share knowledge and raise threat intelligence maturity," he said.
"Consequently, it allows a wider range of companies to benefit from the cyber knowledge it shares. A clear message is being sent that information sharing with industry is a key priority for UK government."
However, concerns remain about CISP's lack of support for SMEs, with Symantec's senior director of government relations, Ilias Chantzos, highlighting a continuing lack of understanding among smaller firms of the risks they face. "SMEs frequently do not have the resources or knowledge of how to protect themselves from today's evolving and relentless threats," Chantzos said, citing a Symantec study that found SMEs were the target of 31 percent of cyber attacks.
"No one person, body or organisation can address this challenge alone; public-private partnerships continue to play a crucial role."
Cyber security is often neglected by even the UK's largest businesses. A study of the UK's FTSE 350 found that only 14 percent of firms were regularly considering cyber security threats, something the government is looking to improve in the next year.

G-20 Hacked by "Chinese" hackers with naked pictures of Carla Bruni social engineering attack

Security researchers have discovered that Chinese computer hackers dangled the promise of nude photos of former French first lady Carla Bruni as bait to lure in targeted foreign ministries during a Group of 20 economic summit in Paris in 2011. And the scheme worked, for the most part.
According to a report published by computer security firm FireEye on Tuesday, cyberattackers homed in on the annual G-20 meeting of central bank governors and foreign ministries and breached senior officials' high-priority computer networks via an email with the subject line “French First Lady nude photos!” The report also said the attack was not isolated and the hackers have been active since 2010.

The email contained malware code hidden in the link to the alleged photos. Once opened, the email was forwarded along to others.
“Almost everybody who received the email took the bait,” a government source in Paris told Australia's The Daily Telegraph.
An anonymous source close to the investigation told The New York Times that five of the ministries attacked were from the Czech Republic, Portugal, Bulgaria, Latvia and Hungary.
However, investigators could not confirm the identity of the hackers or which specific files were breached.
“Beyond the fact they are Chinese, we don’t know who the attackers are or what their motivations might be,” Nart Villeneuve, a researcher for the FireEye report, told the Times.
If only the easily swayed foreign ministries had known nude photos of the former super model and songwriter have been circling the Web for years from past photo shoots. Sigh.
This isn't the first instance of alleged hacking at a G-20 gathering. Just last month former National Security Agency contractor Edward Snowden leaked NSA documentsaccusing the U.S. and Canada of spying on top leaders during both the G-20 and G-8 summits in Toronto in 2010.