back to article Please tell us why you're not securing yourselves, UK.gov asks businesses

The British government wants your bright ideas for improving the nation's cybersecurity because it wants to "understand the apparent lack of strong commercial rationale for investment" in locking down your shizz. As part of its fond hope of making the UK a bit more secure than the rest of the world, the Department for Digital …

  1. Giovani Tapini
    Holmes

    Post-card

    1. Security costs money, so we will just worry about security instead of fixing it

    2. Security holds up software engineers who are targeted on timescales more than quality/security.

    3. We havn't had an incident yet, so we will carry on regardless..

    Feel free to add to the list...

    1. Jedihomer Townend

      Re: Post-card

      With the government wanting to have backdoors into End-To-End Encryption; we thought we'd help them out by just not adding encryption...

    2. katrinab Silver badge
      Flame

      Re: Post-card

      We are a small insignificant company. Nobody is going to be interested in hacking us.

      [Not true obviously, but I've heard PHBs say that frequently]

      1. iron

        Re: Post-card

        That "Who would hack us?" line is a major problem.

        I've heard it from a consultancy in the oil industry that was sending software to the major multinationals every month. They'd never heard of hacktivists and didn't believe me that they were a prime target for those people, especially as a potential back door into the major oil companies.

        And also from my current employer a 3,500 user charity whose average user struggles to use a calculator let alone a smartphone or PC and who have 1 sys admin and 2 support people to pick up the pieces if something does go wrong. Never mind that we hold sensitive information about vulnerable people on unencrypted databases and file shares.

        1. VicMortimer Silver badge

          Re: Post-card

          If they're in the oil industry, please don't let them know.

          Not every company deserves to be saved.

      2. Anonymous Coward
        Anonymous Coward

        Re: Post-card

        The PHB's don't think through that some local hacker might have a go at them for shits and giggles, because they pass "Winchester Construction Supply" or "Joe John's Bakery" every day going to and from school or work. Or that the local hacker may have contacts that he shares info with about poorly protected local businesses, and those contacts have other contacts involved in malware encryption extortion, and those guys are always on the lookout for some poorly secured business whose computers they can shut down unless a Bitcoin ransom is paid out.

      3. Aussie Doc
        Paris Hilton

        Re: Post-card

        This!!!

        A small company I provide a service to never takes any of "that Cyber stuff" seriously because "we're not big enough to be bothered with."

        Then two weeks ago I'm called in to sort their non-working internet.

        Phones and internet had been cut off due to non-payment of $<mega> bill.

        Somebody had "clicked a link in an email that looked important" and shared enough info for the bad folks to get details for the baddies to change passwords on the phone accounts.

        Apparently there were six new mobiles added to the account and the bills went up quickly.

        Still being sorted but they have services back.

        "Yeah, cyber stuff's not that important to us."

        Paris because she probably didn't have a clue either.

        Anyhoo, carry on.

        1. GnuTzu

          Re: Post-card

          "...not big enough to be bothered with."

          Did you mention that their name is listed under the definition for low-hanging fruit?

          Oh but, surely* they would have accused you of attempting to up-sell them. Oh well, pay me now, or pay me later.

          * Movie references aside.

    3. macjules

      Re: Post-card

      4. We actually do not have a clue about internet security. Sorry about that.

      5. We are appointing a Digital Security Czar to oversee our lack of security and to advise us on why. This may be a high court judge appointment of someone in their late 70's with no experience of the "Internet".

      6. Apropos 5 above, we are intending to set up an MoD Cyber Security division. The cost to the taxpayer will be minimal, or so Capita assure us.

      (speaking as one with 25 years experience of UK government IT)

      1. Doctor Syntax Silver badge

        Re: Post-card

        The average High Court Judge has (a) had to fight MoJ's courts system and (b) has probably seen a much more varied slice of life than you and especially criminal life.

        1. macjules

          Re: Post-card

          It's called "humour" (sorry, if you are American), as in "sense of ...".

    4. Doctor Syntax Silver badge

      Re: Post-card

      4. We want to be able to click on all those links in all those exciting emails we get.

      5. Marketing want to send out lots of emails and all that fussing about BCC just gets in their way.

      6. The salesman told us that this cloud thingy would look after all that for us.

    5. Anonymous Coward
      Anonymous Coward

      Re: Post-card

      4. We'd rather spend money on the latest shiny new system for patient data, than securing that data.

      5. We don't need Cyber of Information Security staff as we have IT staff, they know about that stuff.

      6. We in the executives don't want to have to bother with that security stuff so we won't appoint anyone senior to care about it who has the faintest idea, experience or qualifications for it.

  2. andy 103
    FAIL

    Start employing people who actually know what they're talking about

    Had to chuckle when I read this as the reason UK Gov are asking for this is simply because they have no idea themselves.

    Unfortunately I can't find the source but several years ago someone high up (possibly David Cameron but can't confirm) came out with an absolute gem of wanting to work with industry to find a way to "delete a photo off the Internet". A total lack of understanding of how the technology works. No reference to the fact people could easily copy and redistribute the material before that magic button was pressed.

    Then we have nonsense like PCI Compliance. Oh yes, as long as you have a written procedure and your staff know where it is, that's enough to label your company as "having secure practices".

    Essentially you've got people who are not fit for purpose, coming up with plans which are not fit for purpose either. That's the real issue. Maybe get some people in to educate the Government on how technology actually really really works? Too simple?

    At the other end you have bean counters who think spending extra time (and therefore money) on secure development is a waste of money. I've no words or advice to people who are that stupid.

    Once did some work for the NHS. Had to write pages and pages about how we'd work with security best practices in mind. Only to be told they wanted said application to run in IE 6 and handed over a password to a related system which was anything but secure.

    So, they're just a few things...

    1. Giovani Tapini

      Re: Start employing people who actually know what they're talking about

      Agreed. I think this has come up in comments before that in the last decade software development has been de-skilled substantially. I used to rely on my lead developers having a good deal of situational awareness which is simply not the case most of the time now. Exacerbated by body-shopped coders who wont go to the effort of writing reliable and secure code unless its rigorously enforced.

      1. StaudN
        WTF?

        Re: Start employing people who actually know what they're talking about

        It's not the devs which are "de-skilled", or indeed development skill which is even in question above. It's the manglement which is consistently uninterested in anything which adds additional time and cost overheads.

        Did you actually read the post above, or did you just type "Agreed" followed by your own unfounded opinion?

    2. Anonymous Coward
      Anonymous Coward

      Re: Start employing people who actually know what they're talking about

      "Then we have nonsense like PCI Compliance"

      Yeah, where they test the security of your connection but insist on that security being crippled (eg their IPs being whitelisted) to allow them to complete the scan. And where if you fail the test you can optionally just pay a fine to continue as before, which is less than fixing the issue with your actual security (or what they perceive to be an issue) so from a financial perspective the fine makes the most sense.

      Actually had a client that had a simple setup and a basic firewall which blocked everything inbound (since no inbound was needed), and didn't have the facility to whitelist the PCI Compliance company's IPs. Ended up suggesting it'd be cheaper to pay the nominal fine each year than to replace their firewall hardware simply to allow the tester to bypass the firewall.

      1. Giles C Silver badge

        Re: Start employing people who actually know what they're talking about

        PCI compliance is a lot more that just allowing someone to check a firewall. Although I have to agree with the whitelist our IP argument. If they can’t bypass my firewall then the system is secured from outside, the bigger problems are the databases are and the internal systems.

        However it encompasses a whole lot more than that. Endpoint security, data at rest, data encryption.

        Working for a well known insurance broker the pci audits took several weeks to do each year, and the amount of prep work was large - not because things had to be changed but due to the supporting data that had to be supplied to the auditors each year.

      2. Anonymous Coward
        Anonymous Coward

        Re: Start employing people who actually know what they're talking about

        There's no PCI-DSS requirement to whitelist all ASV scanner traffic on your external firewalls. The only thing you need to whitelist is active/dynamic rules that change on the fly in response to behaviour (eg blocking an IP because a scan has been detected). External ASV scans just require the same access that an internet-based attacker would have - nothing more. In this case (based on the information provided), if no inbound traffic is permitted, there would be no reason to whitelist inbound traffic for the external scan.

        1. Anonymous Coward
          Anonymous Coward

          Re: Start employing people who actually know what they're talking about

          Problem is that while some firewalls don't allow for whitelisting the scanners IPs they do have port scan detection. So even though no ports are open they'll initially respond that you can't connect, then start dropping the packets once the scan has been detected.

          So just like an internet based attacker, the tester gets their connection attempts dropped... but they want you to whitelist their IPs to prevent that despite the fact that dropping those packets IS the behaviour anyone else would see trying the same thing (or of course turn off port scan detection, which isn't really an option!).

    3. Doctor Syntax Silver badge

      Re: Start employing people who actually know what they're talking about

      "Maybe get some people in to educate the Government on how technology actually really really works?"

      You mean something like setting up an enquiry and asking industry to provide evidence? So why does it make you chuckle?

      1. Anonymous Coward
        Anonymous Coward

        Re: Start employing people who actually know what they're talking about

        You mean something like setting up an enquiry and asking industry to provide evidence? So why does it make you chuckle?

        Because no government call for advice is ever intended to actually intended to take any given, but to be used as a fig leaf for spunking hundreds of millions with whoever owns the preferred snout for the trough this week.

        This time next year, you'll get an announcement that Capita have been awarded a contract to run the governments "IT security bureau"

      2. andy 103

        Re: Start employing people who actually know what they're talking about

        You mean something like setting up an enquiry and asking industry to provide evidence? So why does it make you chuckle?

        Because they already employ people - often on considerably high salaries - who should know the answers to the questions they're asking. Or in the case of the point I made about the "deleting photos off the Internet" comment - people who should have a better grasp of how things actually work before commenting on what action needs to be taken.

  3. tiggity Silver badge

    Small biz

    From my experience many of them have view of "we are too small to be a target".

    Which so often, unfortunately, proves to be misplaced optimism.

    Another problem is small biz less likely to have decent DR policies in place (so when something nasty occurs (e.g. crypto locker) it is difficult or maybe even impossible for biz to properly recover in a short timescale.

    Lets bear in mind in many small biz people are very busy and as long as IT is "working adequately" its not high on most peoples agenda as keeping revenue / cashflow going is top priority.

    1. Keith Langmead

      Re: Small biz

      I think the marketing departments of many of the "cloud" providers need to take some responsibility for this. They sell their services to small companies as being easy and quick fixes, and leave out the limitations of what they offer. I've heard several small companies state that they have "offsite backups", only to find that they're simply using one of the cloud sync services. Have to explain to them that no that isn't a backup, and provides no protection if for instance their data is encrypted, or a file is overwritten, since that'll be synced as well and many of the services only keep the most recent version of a file.

    2. JohnFen

      Re: Small biz

      "From my experience many of them have view of "we are too small to be a target"."

      The irony of this is that very small businesses are often the preferred target of hackers (especially if those business contract with larger businesses such as credit card companies, government agencies, etc.) precisely because they know that small businesses think that way.

      1. Roland6 Silver badge

        Re: Small biz

        >The irony of this is...

        I think this is where "the media" have contributed to this misconception; it is only really newsworthy if its big and so encourage people to believe small is safe, not realising that it is the scammers who are the real risk. Hence why ransomware has become relatively profitable, once scammers realised they stood to gain more by asking for £50 rather than £50,000 to unlock files.

  4. GruntyMcPugh

    We're saved!

    A former journalist with a degree in English Literature must surely know all the hashtags!

  5. Alister

    what government could do to help and what incentives might encourage firms and businesses to manage their cyber risk.

    Perhaps leading by example might be a good start.

    If Gov IT was perceived as secure and robust it might, just might, incentivise other businesses to give a damn.

  6. Anonymous Coward
    Anonymous Coward

    Government who can create and enforce regulations to ensure security asking why businesses aren't secure shocker. I think tonight I'll ask the cat why it stays out all night when the cat flaps open.

  7. tiggity Silver badge

    A job for Jennifer A

    As a worthy recipient of UK gov cash for IT security expertise.

    When she's not busy with a johnson* spaffing up her sugar walls, then she could devote some of her leet hacker skills to giving some IT advice given all the cash pushed her way.

    * johnson (uncapitalized!) used as a common term for the male member, legal bods please note I am in no way implicating anything to do with any person with name of Johnson (capitalized)

  8. Al fazed
    Pirate

    It's all a load of bollocks

    Between the people who want systems and the people who make them there are so many opportunities to create a cluster fuck, you need to be very well versed before you implement an IT system, however, any idiot can build a web page using Word Press or similar, and as it has aalready been pointed out, the IT skill set in business is dimishing. I know several people who eventaully packed away there IT company in favour of regular work sweeping up and a healthy work life balance.

    Small companies make up the greatest number of businesses, but employ the least staff.

    The Go Vermins via the HMRC and the Courts are crushing the IT experts and their business models in ridiculously imbecillic ways whilst allowing multinationals away without paying any tax.

    The sooner they all comletely fuck up the economy with their safety critic systems and fake news, concepts of Farcificial Intelligence and 5 fucking G, the better.

    Sadly until those twits with any pretentions to being in power decist their bullying and come down from their ivory towers and enter the real world, computer security is a damn good business to be in, if any business is ................

  9. Anonymous Coward
    Anonymous Coward

    Please tell us why you're not securing yourselves, UK.gov asks businesses

    "Because we were too busy getting ready for that Brexit thing on the 31st of October your expensive ads kept warning us about".

  10. John Smith 19 Gold badge
    Gimp

    Demand an end to E2E encryptiong then b**ch about lack of security.

    F**k em.

    They've certainly tried to f**k the British public

    At every opportunity HMG data fetishists demand data they don't need for reasons most people wouldn't like if they were told (and hence why they aren't told).

  11. JohnFen

    It's obvious

    The "why" is really obvious -- being secure requires addition time, effort, and money. As long as businesses think that being secure won't harm or help their business, they're not going to do it.

  12. Anonymous Coward
    Anonymous Coward

    Lack of strong commercial rationale for investment

    > British government wants your bright ideas for improving the nation's cybersecurity because it wants to "understand the apparent lack of strong commercial rationale for investment"

    They are not going to spend money on security as long as there are no effective legal sanctions for losing their customers data.

    1. RobinCM

      Re: Lack of strong commercial rationale for investment

      In the same way that it's illegal to drive a car without a valid driving licence, it should be illegal to operate an internet-connected computer with (at a minimum) being Cyber Essentials Plus certified.

      Business insurance should be impossible to acquire without CE+ too, unless you certify that you do not have any internet-connected IT systems.

      That to me send to be the only way to force people to do this stuff.

      Going back to the car analogy, who would bother with the expense of driving lessons and passing the test if it wasn't a legal requirement? Who would bother getting their car MOT done every year if it didn't have legal implications?

      The softly softly approach has been proven to fail. Standards must be adhered to in other fields of engineering (electrical, civil, construction, etc.) and it's high time that IT caught up.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like