Treat cyber risk like financial or legal issue, says UK government

The UK government has today published a draft Code of Practice on cyber security governance, aimed at directors and other business leaders and urging them to prioritise security threats as a key business risk akin to financial or legal challenges.

The government hopes its suggestions – developed alongside the National Cyber Security Centre (NCSC) – will help organisations shore up their defences against cyber threats, strengthen their resilience and enable them to safely take advantage of emerging technologies. It has launched a call for views in response to its proposals.

The code centres the need to put detailed, tested and robust incident response plans in place to enable businesses to quickly respond to and better recover from cyber incidents. It also urges business leaders to do more to equip their employees with appropriate security skills and awareness.

“Cyber attacks are as damaging to organisations as financial and legal pitfalls, so it’s crucial that bosses and directors take a firm grip of their organisation’s cyber security regimes – protecting their customers, workforce, business operations and our wider economy,” said artificial intelligence (AI) and intellectual property minister Viscount Camrose.

“This new code will help them take the lead in safely navigating potential cyber threats, ensuring businesses across the country can take full advantage of the emerging technologies which are revolutionising how we work. It is vital the people at the heart of this issue take the lead in shaping how we can improve cyber security in every part of our economy, which is why we want to see industry and business professionals from all walks coming forward to share their views.”

NCSC CEO Lindy Cameron said: “Cyber security is no longer a niche subject or just the responsibility of the IT department, so it is vital that CEOs and directors understand the risks to their organisation and how to mitigate potential threats. This new Cyber Governance Code of Practice will help ensure cyber resilience is put at the top of the agenda for organisations, and I’d encourage all directors, non-executive directors and senior leaders to share their views.

“Senior leaders can also access the NCSC’s Cyber Security Board Toolkit, which provides practical guidance on how to implement the actions outlined in the code, to ensure effective management of cyber risks,” she said.

The government said that introducing the draft code was a “pivotal step” in addressing how business leaders approach cyber risk, and would help it along the way to achieving its goals of growing the UK’s digital economy safely and securely, with “practical action and robust safeguards”. It’s estimated that just under a third of British businesses experienced a data breach or cyber attack in 2023, with a particularly notable rise in ransomware attacks.

At the same time, the government has published new statistics and analysis demonstrating the positive impact of the NCSC-delivered Cyber Essentials programme, which awarded certification to almost 40,000 businesses in 2023, and is now held by two in five of the UK’s largest businesses.

It said that around two-thirds of businesses that adhere to the Cyber Essentials programme have a formal cyber incident response plan in place, in comparison with just 18% of those who do not follow its guidance.

Vectra EMEA chief technology officer Christian Borst said: “Today’s DSIT guidance highlights the need for businesses to urgently overhaul their approaches to cyber security. But, while incident response plans and cyber awareness training are essential to good security hygiene, businesses need to go much further to stay secure in a growing world of cyber security risks. Today, it’s vital that security leaders, architects and analysts focus on improving cyber resilience, leveraging AI-driven tools to break out of a never-ending spiral of ‘more’.

“More attack surface exposure means more tools, which means more complexity,” he continued. “More evasive attackers means more rules, which means more alerts. And finally, more alert rules to tune and maintain means more work for analysts and more burnout. The fact of the matter is that businesses will be hybrid forever, and so will attackers. This spiral of more is giving hybrid attackers the upper hand. However, AI-driven threat detection, investigation and response enables SOC teams to move at the speed of hybrid attackers and protect the business.”

IEEE senior member and cyber security professor at Ulster University Kevin Curran added: “The threat landscape is constantly evolving, so organisations need to keep pace and ensure they are regularly reviewing and upgrading their defences. Some approaches that worked just a few years ago are now obsolete, and attackers change their profile far quicker now, so it is incredibly difficult to identify which packet requests are nefarious. Companies should try to deal with DDoS traffic on the edge of their network immediately, and employ the latest tools, such as AI, which can help with reactive misuse, anomaly detection and network profiling techniques.

“Moving forwards, senior management must have a more holistic understanding and approach to cyber security, and IT departments must be able to maintain proficient security protocols or policies for years to come,” he said. “Inevitably, this means increasing the amount of IT security staff and ensuring all staff are sufficiently trained, even if it’s just basic cyber skills.”