Experts in cyber security have published new guidelines for Britain’s corporate leaders to equip them with the basic technical details they need to understand the threats they face in cyber space, and to direct effectively their organisation’s response to them. Specialists from the National Cyber Security Centre (NCSC), itself a part of GCHQ, have emphasised that the Boards of big companies cannot outsource their cyber security risks and, furthermore, need to understand what their technical staff are doing if they’re to prosper securely in the digital age.
In support of this, the NCSC has published the first in a suite of guidance notes for businesses, in turn setting out five questions – grounded in expert technical guidance – that Boards should ask about their company’s IT security. The questions – and what to look for in responses – were proposed to Board members at the CBI’s recent Cyber Security Conference by NCSC CEO Ciaran Martin.
The FTSE 350 Cyber Governance Health Check Report 2017 found that 68% of Boards have received no training to deal with a cyber incident, while 10% have no plan in place to respond to one.
“Cyber security is now a mainstream business risk,” asserted Martin. “Corporate leaders need to understand what threats are out there and what the most effective ways are of managing the risks. To have the plain English, business-focused discussions at Board level, Board members need to get a little bit technical. They need to understand cyber risk in the same way they understand financial risk or health and safety risk. Our sample questions, which we’ve published in consultation with businesses, aim to equip Board members to ask the right questions and begin to understand the answers. There’s really no such thing as a foolish question in cyber security. The foolish act is walking away without understanding the answer because that means you don’t understand how you’re handling this core business risk.”
The five questions the NCSC is recommending Boards ask of themselves are as follows:
(1) How do we defend our organisation against phishing attacks?
(2) What do we do to control the use of our privileged IT accounts?
(3) How do we ensure that our software and devices are up-to-date?
(4) How do we ensure that our partners and suppliers protect the information we share with them?
(5) What authentication methods are used to control access to systems and data?
These initial questions will form part of a broader toolkit to be released this winter that’s designed to recognise and resolve gaps in Boards’ knowledge. The questions and possible answers are designed as a starting point to help organisations begin effective discussions on cyber security.
NCSC guidance also tells Boards how to distinguish good answers from waffle and encourages them to continue asking questions about how risks are managed.
Response from the business world
Matthew Fell, the CBI’s chief UK policy director, responded: “Cyber threats now pose one of the biggest risks to a company’s finances and reputation. Digital security can no longer be the sole responsibility of the IT team and companies must recognise this. Business Boards are stepping up to the challenge of improving their cyber literacy, but firms do recognise that more progress is needed. That’s why the CBI’s 3rd Cyber Conference brings together over 250 senior business leaders to help turn cyber awareness into action.”
Fell added: “The NCSC’s five-question guide provides a great starting point for business Boards to equip themselves in the fight against the ever-evolving cyber challenge.”
The NCSC has been working with Boards as focus groups to determine what support is needed to ensure that Board members and staff who report to them are able to recognise threats, enable discussions and implement appropriate measures.
Jacqueline de Rojas, president of techUK and chair of the Digital Leaders Board, observed: “Cyber security is no longer just the domain of the IT Department. It cannot be delegated. Those around the Boardroom table must understand the constant and persistent cyber threat to their businesses and educate themselves about the steps they need to take to ensure that they are cyber-resilient. That’s why the NCSC toolkit, which is specifically aimed at Board members, is an important development. It will help in demystifying concerns around cyber security and enable senior executives to discuss their cyber risk appetite in a confident and proactive manner. techUK will continue to work with the NCSC to raise awareness of the toolkit in order to protect businesses both large and small in the UK.”
While primarily aimed at larger companies, smaller businesses will be able to tailor the toolkit for their sector. The NCSC has already published a cyber security Small Business Guide.
*NCSC CEO Ciaran Martin’s full speech delivered at the CBI’s Cyber Security Conference can be read here