CISOs admit to ignoring cyber security guidance issued by NCSC

That particular finding emerges on the back of 48% of respondents revealing that their organisation was hit by a ransomware attack over the past year. The NCSC has issued regular guidance warning of increased ransomware threats over that time frame, not to mention procedures for incident response.

Absolute Security’s United Kingdom Cyber Resilience Report 2024 examines the current state of cyber resilience, security and Artificial Intelligence across the UK. To compile the results, the business surveyed 250 UK CISOs at enterprise organisations via independent polling agency Censuswide.

Two-thirds (ie 64%) of respondents feel that the UK has a poor cyber resilience strategy, with a perceived failure to define clear response policies to recover from cyber breaches, while 77% believe the UK is falling behind the US and the European Union when it comes to national cyber policies. This may offer a possible explanation for CISOs ignoring NCSC guidance.

Robust strategy

Andy Ward, international vice-president at Absolute Security, informed Security Matters: “Ransomware and state-sponsored attacks are increasingly on the rise. Arguably now more than ever, organisations need a robust cyber resilience strategy in place to respond to and also recover from attacks when they happen.”

Ward continued: “While no set of standards or frameworks will eliminate the certainty of an eventual incident, NCSC guidance is there to help protect CISOs, who shouldn’t just ignore nationwide protocols. Disregarding NCSC advice places today’s organisations at a much greater risk. It jeopardises jobs, causes significant financial and reputational damage and, potentially at least, even heaps personal liability on security leaders.”

Responding to the study’s findings, Absolute Security customer Bharat Thakrar (CISO/CTO of CyberBTX) commented: “The fact that 35% of CISOs ignore NCSC guidance is alarming. Ignoring these guidelines not only undermines organisational security, but also exposes sensitive data to significant risks. Adhering to NCSC standards is crucial for robust cyber security.”

Mobile and remote threats persist

Cyber attacks have more than doubled in volume since the start of the COVID-19 pandemic, with 72% of CISOs stating that remote working has complicated cyber resilience postures.

In total, 73% believe that remote working devices are the biggest weakness for their organisation as these devices often operate weeks – or even months – behind most enterprise patching policies.

These devices also grapple with essential security tool failures. When unsupported by remediation capabilities, Endpoint Protection Platforms and network access security applications fail to operate effectively 24% of the time, in turn opening up high-risk security gaps. All of these findings are supported in the recent Absolute Security Cyber Resilience Risk Index 2024.

“The increased attack surface facing organisations due to remote devices presents a difficult challenge for CISOs as they ward off the rising number of cyber threats,” outlined Ward. “Implementing an approach of cyber resilience can significantly bolster cyber defences through increasing visibility for CISOs and their security teams.”

In conclusion, Ward observed: “Adopting technology that’s capable of continuously monitoring remote devices, applications and networks can alert centralised security teams to suspicious behaviour, affording them the ability to freeze or shut off potentially compromised devices to prevent threat actors from moving laterally across a network and causing major damage. These devices can then be repaired to patch up weak security controls and mitigate future cyber risks.”

*Download copies of the Absolute Security United Kingdom Cyber Resilience Report 2024