CYBER RESILIENCE HOW TO PROTECT SMALL FIRMS IN THE DIGITAL ECONOMY
FSB-Cyber-Resilience-report-2016
FSB-Cyber-Resilience-report-2016
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
fsb.org.uk<br />
The role of the private sector in increasing cyber resilience<br />
The private sector also needs to adapt to improve overall cyber resilience. The rebalancing of<br />
responsibility within the private sector should include:<br />
• Businesses taking as much responsibility as is practical for them to do so. Small businesses<br />
need to be made more aware of the risks that come through operating online. Only with a<br />
better understanding of the risks and the possible negative impact they can have, will small<br />
businesses be able to adjust their practices and processes in the most effective ways. Owing to<br />
the constraints they operate under, small businesses need support from others to help take the<br />
actions necessary to increase their cyber resilience. There are also many things that resource<br />
and knowledge constraints mean small businesses will not be able to do or are not best placed<br />
to do.<br />
• More measures taken by the digital infrastructure providers to help protect users who are not<br />
adequately resourced to protect themselves, such as small businesses.<br />
• The larger economic infrastructure providers taking more responsibility through increasing the<br />
cyber resilience of their systems and practices, in addition to helping their vulnerable users,<br />
such as small businesses, improve their own cyber resilience.<br />
1. Strong foundations for cyber resilience policy<br />
Before outlining specific measures aimed at dealing with the three categories of causes of cyber risk,<br />
Government can make a number of reforms that will provide a set of strong foundations.<br />
A more flexible approach to regulation<br />
Before looking at specific areas of regulation or specific regulations and regulatory reforms, the<br />
Government should look in detail at:<br />
• Its general approach to regulating cyber resilience issues. The fast changing world of cyber<br />
threats and the risks they pose raise questions about the viability of aspects of the current mode<br />
of regulation.<br />
• Making sure that its ability to deliver services to the business community is resilient. There is little<br />
point in the Government playing a major role in implementing measures to help and encourage<br />
the private sector to be more cyber resilient if Government is not sufficiently resilient itself.<br />
Regulating for cyber resilience<br />
Traditional regulation is based on a prescriptive command and control model, where detailed<br />
standards are set out and compliance with those standards is monitored through reporting and<br />
external inspection.<br />
These standards do not usually reflect risk, but instead are based on hazard. The latter can lead to<br />
regulatory micro-management and unnecessary burdens rather than generating buy in from those<br />
being regulated. This hinders the development of broader behavioural changes which are needed<br />
to change the norms of complex systems.<br />
The problems of regulating security issues associated with the digital communications technologies<br />
this way, are well known:<br />
“Regulations that dictate specific solutions can be a poor fit for cyberspace…[a]…focus on<br />
compliance can turn security from an iterative, adaptive process to an organisational routine<br />
disconnected from the risks faced. Compliance replaces accountability, since organisations can<br />
avoid any decision that might improve security”. 81<br />
Singer, P W and Friedman A, Cyber Security and Cyber War: what everyone needs to know<br />
81 Singer, P W and Friedman A, Cyber Security and Cyber War: what everyone needs to know, 2014.<br />
33