UK presses directors to take ‘firm grip’ on cybersecurity
A draft code pledges to tackle software cyber risks to supply chains
UK businesses and their directors have been told to “toughen up” cybersecurity and prioritise cyber threats as the government prepares new guidelines to boost businesses’ cyber resilience.
Publishing a draft code of practice on cybersecurity, developed with the National Cyber Security Centre, the government says executive and non-executive directors must take action to strengthen their organisation’s defences to cyberattack and consider cyber threats as a key business risk on the same footing as legal and financial risks.
In particular, it says directors should set out clear roles and responsibilities across their organisation to boost protection for customers and their business operations. Companies should have detailed plans to respond to and recover from potential cyber incidents, the government says, with routine testing to ensure the plan is robust. A formal system for reporting cyberattacks or breaches should also be in place.
The draft also includes measures to reduce the risks associated with software, addressing key cyber risks running through supply chains. The government says it is working with industry to further develop these proposals, which centre on cybersecurity in the development and maintenance of software used by businesses. On the table are proposals to develop a code of practice for software vendors and cybersecurity training for professionals.
Firms should also train staff and raise awareness of cyber issues, the draft code states.
“The measures look to establish cybersecurity issues as a key focus for businesses, putting them on an equal footing with other threats like financial and legal pitfalls,” the government says.
Viscount Camrose, minister for AI and intellectual property, says: “Cyberattacks are as damaging to organisations as financial and legal pitfalls, so it’s crucial that bosses and directors take a firm grip of their organisation’s cybersecurity regimes – protecting their customers, workforce, business operations and our wider economy.”
He adds that the threat of cyberattack should not hold back UK companies from taking “full advantage” of emerging technologies.
“The risks associated with growing an increasingly digital economy need to be addressed with practical action and robust safeguards. The introduction of the Cyber Governance Code of Practice marks a pivotal step in how the leaders and directors of all organisations approach cyber risk, underpinning the UK’s credentials as a cyber power and protecting our economy,” the government says.
On publishing the draft, the government opened a call for views from business leaders.
“It is vital that the people at the heart of this issue take the lead in shaping how we can improve cybersecurity in every part of our economy, which is why we want to see industry and business professionals from all walks coming forward to share their views,” Viscount Camrose says.
One in three UK firms have suffered a cyberattack in the past year, the government says, as it revealed more than 38,000 firms have been awarded a Cyber Essential certificate, for putting in place vital cybersecurity controls, including management of security updates and anti-virus software.
Lindy Cameron, CEO of the NCSC, says: “Cybersecurity is no longer a niche subject or just the responsibility of the IT department, so it is vital that CEOs and directors understand the risks to their organisation and how to mitigate potential threats.
“This new Cyber Governance Code of Practice will help ensure cyber resilience is put at the top of the agenda for organisations, and I’d encourage all directors, non-executive directors, and senior leaders to share their views.”