freshidea - stock.adobe.com
NCSC issues core questions to help boards assess cyber risk
The National Cyber Security Centre has published its first in a series of guidance for board members which highlights what businesses should be asking security teams
Ciaran Martin, the CEO of the National Cyber Security Centre (NCSC), has issued five core questions boards should ask their security teams as part of a set of guidelines aimed at assessing cyber risk.
These first five questions are the first in a suite of guideline materials the NCSC plans to release to teach business leaders the basic technical details needed to understand potential threats to their firms.
Speaking at the annual CBI Cyber Security: Business Insight Conference 2018, Martin said: “There is clear evidence that business leaders have a heightened focus on cyber security and, of course, I welcome that. At the same time, there is a clear and loud demand from business for clear and simple guidance on what has been all too often, and damagingly, characterised as a complex and technical subject.”
To make cyber security issues seem less complex for corporate leaders who may not be trained in the subject, the NCSC guidelines not only advise board members on what to ask about the security of their businesses, but also what to look for in the answers.
These initial five questions were:
- How do we defend our organisation against phishing attacks?
- What do we do to control the use of our privileged IT accounts?
- How do we ensure our software and devices are up to date?
- How do we ensure our partners and suppliers protect the information we share with them?
- What authentication methods are used to control access to systems and data?
Cyber attacks have been growing in number over the last few years, and research has found in many cases cyber criminals are spending more money on finding weaknesses in their targets’ cyber defences than firms are spending on avoiding attacks.
Read more about cyber
- Cyber criminals are moving away from mass, high-profile attacks to ones that are stealthy and more subtle – as well as attacks targeting systems typically used in critical infrastructure.
- Retail and finance remain the top cyber attack targets, but the second quarter also saw a spike in attacks against the manufacturing industry and an increase in remote desktop attacks.
The NCSC’s advice comes after the FTSE 350 Cyber governance health check report 2017 found almost 70% of boards have no training in how to deal with cyber incidents, and 10% have no plans in place should they face a cyber threat.
Martin claimed that since cyber security is now a major business risk, board members should aim to understand it “in the same way they understand financial risk, or health and safety risk”.
This means encouraging boards to ask questions about the state of cyber in their businesses to make sure they are as much a part of the discussion around security as they are other parts of the firm.
Boards were used as focus groups by the NCSC to develop appropriate guidelines that teach board members and their staff to understand, recognise and address threats to their businesses.
Martin said these were a “taster of the sort of simple, useful but technically authoritative guidance we will be putting out to business” before the launch of a broader toolkit, developed by experts in cyber security, which will be released later this year.
“We want to move on to the next level by helping you frame your defences in a way that is appropriate to the threat picture,” he said. “This means we need you to get a little bit more technical. People at board level need to understand the basics – and I stress, basics - of cyber-attacks, cyber risks and cyber defences. That’s daunting, but it is doable.”
The cost of a data breach
As cyber attacks become more common, causing damage such as stolen funds, damaged equipment and stolen customer information, IBM has claimed the global average cost of a data breach can be up to £3m.
Martin said that since many businesses deal with “challenges as complex, if not more complex”, businesses leaders should be able to “close the knowledge gap” between them and their IT teams to be able to have a technical discussion about the direction cyber is taking in that business – and whether this will be enough.
“Asking these questions, and understanding the answers, will help you protect your business,” he said. “But corporate leaders have to be prepared to stick at it to understand the answers. One final message is to not be afraid to ask other questions just because you think they’re too basic. Nodding to avoid feeling foolish can sometimes be the most foolish thing to do.”
These new guidelines are mainly aimed at larger companies, but could be adapted for use by small businesses alongside the NCSC’s Small business guide, which aims to help smaller firms learn more about cyber.
The NCSC launched in October 2016 as part of the government’s £1.9bn National Cyber Security Strategy, aimed at improving the UK’s cyber landscape and addressing the UK’s cyber security skills gap.