The UK's £650 million cyber security fund is just a drop in the ocean and is simply not enough to combat the threat to the country according to one leading cyber security expert.

GCHQ Joint Cyber Unit
The Government Communication Headquarters (GCHQ) in Cheltenham which houses the UK's Joint Cyber Unit. (Credit: Reuters)

Cyber-attacks are happening with increasing regularity and increasing sophistication. From cyber-criminals trying to steal an individual's bank details to state-sponsored cyber-espionage, the online world is a dangerous place.

While everyone is responsible for protecting their own individual information online, the government also plays a crucial role in making sure its citizens are protected from all forms of attack.

In 2010 the government recognised this fact, and listsed the threat of cyber-attack as a Tier 1 Threat. Acting on this, in November 2011, it published its Cyber Security Strategy which outlined a plan to combat this threat and "make the UK one of the safest places to do business online."

A four-year plan with £650 million in funding, the Cyber Security Strategy is still in its early stage, but according to a National Audit Office review "activities are already beginning to deliver benefits."

We have seen the establishment of a Joint Cyber Unit hosted by GCHQ in Cheltenham, which brings under one roof the operational, strategic and technical teams dealing with the UK's cyber-security.

The Serious Organised Crime Agency (SOCA) has repatriated more than 2.3 million items of compromised card payment details preventing a potential economic loss of more than £500m. In the past year alone, the public has reported to Action Fraud over 46,000 reports of cyber-crime, amounting to £292m worth of attempted fraud.

This past week the government has established its second Academic Research Institute, with the proviso of investigating techniques for automatically detecting vulnerabilities in software used by individuals, businesses and government.

But is this enough?

David Emm, senior security researcher with Kaspersky Labs, says that despite all these good intentions, it is simply not enough:

"On the one hand the government is saying how vital [cyber security] is, and I think they are right, but actually £650 million, I'm not sure how far it will go, when you are talking in these terms."

In the cyber-security world, it is clear that money talks above all else.

Hackers-for-hire will follow the money with national borders meaning little to these cyber-mercenaries. Countries offering huge cash rewards for their services will be able to attract the best people in the industry and smaller nations could soon become big players on the world stage.

Spending £650m over four years to protect the UK government, business community and private citizens suddenly seems like a drop in the ocean.

Especially when you consider the cost of cyber-crime to the UK is currently estimated to be between £18bn and £27bn.


However there are things which can be done, by better utilising the resources which are already there.

"The government is clearly very concerned about this which is why as part of its cyber security strategy is it very keen to try and give some direction to businesses about what the potential dangers are."

Emm believes that the government needs to do more in getting the message out there and while businesses have a duty to educate their own staff, one area the government is not doing enough work is in educating consumers about the threats of cyber-attack.

Government and businesses can put in place the most sophisticated cyber-security procedures possible but what it cannot legislate for is the incompetence and laziness of people.

Emm points to the attack on security firm RSA in 2011 when the attack was triggered by an employee not only downloading a malicious email attachment, but first pulling said message out of a junk email folder. This incident highlights that even businesses need to do more.

"I'm not sure that businesses do enough on [educating their employees]," Emm says, adding that there is a degree to which companies resign themselves to the fact that "people are going to do dumb things next year, and the year after" and so education is pointless.

Seat belt

Emm highlights that the people behind the introduction of the seat belt could have had the same attitude but didn't, and today we all more-or-less wear seat-belts while driving.

This will be a slow process however, with attitudes not changing overnight:

"I'm not expecting to change attitudes this week or this year. I'm not going to say we are going to get to a point where nobody ever will do anything silly but I think we need to do more," Emm says.

One why in things are changing however is how companies are now acknowledging that they have been breached, something which wasn't happening only a couple of years ago.

"If you go back to the time of the Sony PlayStation [Network] attack, the gut reaction, quite understandably, by companies was to say we don't really want to go public on this, it's embarrassing," Emm says.

"I think things are beginning to change. You look at LinkedIn and Evernote, two of the more recent ones, the response there is 'OK, this has happened and here are some precautions we are recommending to our customers.' There seems to be much more of a willingness to go public."