Brian Sims
Editor
Brian Sims
Editor
A DRAFT Code of Practice on cyber security governance put forward for comment by the Cabinet Office will help directors and senior leaders shore up their defences against cyber threats. In parallel, the Government has launched a new call for views from business leaders themselves.
Aimed at executive and non-executive directors and other senior leaders, the proposed measures look to establish cyber security issues as a key focus for businesses, putting them on an equal footing with other threats including financial and legal pitfalls. As part of this, the Code of Practice recommends that directors set out clear roles and responsibilities across their organisations, boosting protections for customers and safeguarding their ability to operate safely and securely.
A key focus of the Code – designed in partnership with industry directors, cyber and governance experts and the National Cyber Security Centre (NCSC) – is making sure companies have detailed plans in place to respond to (and subsequently recover from) any potential cyber incidents. Those plans should be regularly tested such that they are as robust as possible, with a formal system for reporting incidents being put in place.
Organisations are also encouraged to equip employees with adequate skills and awareness of cyber issues so they can work alongside new technologies in confidence. The Government is calling on businesses of all sizes and from all sectors with an interest in cyber and governance issues to share their opinions on the draft Code of Practice, in turn helping to shape and deliver the future of improved cyber security in the UK.
Firm grip
Viscount Camrose, Minister for Artificial Intelligence and Intellectual Property, stated: “Cyber attacks are as damaging to organisations as financial and legal pitfalls, so it’s crucial that bosses and directors take a firm grip of cyber security regimes for organisations, duly protecting their customers, workforce, business operations and, indeed, the wider economy.”
Camrose continued: “This new Code of Practice will help them take the lead in safely navigating potential cyber threats, ensuring businesses across the country can take full advantage of the emerging technologies which are revolutionising how we work. It’s vital those individuals at the heart of this issue take the lead in shaping how we can improve cyber security in every part of our economy, which is why we want to see industry and business professionals coming forward to share their views.”
The benefits of the UK’s rapidly growing cyber landscape are sizeable, unlocking new opportunities and ways of working and creating new jobs to grow every sector of the UK economy (a key priority for the Government). This means the risks associated with growing an increasingly digital economy need to be addressed through practical action and robust safeguards.
The introduction of the Cyber Governance Code of Practice marks a pivotal step in how the leaders and directors of all organisations approach cyber risk, underpinning the UK’s credentials as a cyber power and protecting the national economy.
Cyber breach statistics
The guidance emerges as figures show almost one-in-three (32%) firms have suffered a cyber breach or attack in the past year, with a rise in damaging ransomware attacks and malicious actors posing significant threats as they look to take advantage of cyber security vulnerabilities.
New statistics and analysis showing the positive impact of the Government’s Cyber Essentials scheme, which helps organisations protect against common cyber attacks, have also been issued. Through this scheme, organisations which demonstrate they have vital cyber security controls in place, including effective management of security updates, having suitable anti-virus software and removing default passwords are awarded a Cyber Essentials certificate. 38,113 certificates have been awarded to organisations in the past year, while two-in-five (39%) of the UK’s largest businesses now hold the accolade.
New analysis of the Cyber Security Breaches Survey also shows that around two-thirds (66%, in fact) of businesses adhering to Cyber Essentials do have a formal cyber incident response plan in place, compared to just 18% of those who don’t follow its guidance.
Mitigating potential threats
Lindy Cameron, CEO at the National Cyber Security Centre CEO, observed: “Cyber security is no longer a niche subject or solely the responsibility of the IT Department, so it’s vital that CEOs and directors understand the risks posed to their organisations and how to mitigate potential threats.”
Cameron went on to state: “This new Cyber Governance Code of Practice will help to ensure cyber resilience is at the top of the agenda for organisations and I would encourage all directors, non-executive directors and senior leaders to share their views. Senior leaders can also access the National Cyber Security Centre’s Cyber Security Board Toolkit, which provides practical guidance on how to implement the actions outlined in the Code in order to ensure effective management of cyber risks.”
To further support organisations in improving their cyber security and provide more clarity on Best Practice, the Government is also publishing its response to a call for view on software resilience and security to help address software risks and make organisations more resilient to cyber threats.
High-profile incidents
A number of recent, high-profile cyber incidents – including an incident which took the NHS 111 service offline – have demonstrated the severe impacts that attacks on software and digital supply chains can exert. The response to the call for views proposes steps to empower those who develop, buy and sell software to better understand how they can reduce risk, prioritising the protection of businesses and other organisations that are reliant on software for their day-to-day operations.
Software is fundamental to virtually all technology used by businesses, from programmes for managing payroll through to essential operating systems and more advanced and emerging technologies such as Artificial Intelligence. Protecting software is therefore crucial when it comes to protecting businesses and organisations and, what’s more, is a critical part of the Government’s work focused on improving UK cyber resilience.
The plans include measures to ensure software is developed and maintained securely, with risks better managed and communicated throughout supply chains. The Government is working with industry to develop these proposals further, from fashioning a Code of Practice for software vendors, which will form the crux of this proposed package, all the way through to cyber security training for professionals.
Call for views
The call for views, which is going to be open until 19 March, will help ensure this new Code of Practice is straightforward to understand and roll out, and will also help to identify any potential barriers organisations could face in bringing it into force.
The work is part of the Government’s £2.6 billion National Cyber Strategy designed to protect and promote the UK online.