Cyber threats should be prioritised as a key business risk like financial and legal challenges, the UK government has urged as it releases new guidelines to help directors and business leaders boost their cyber resilience.
Aimed at executive and non-executive directors and other senior leaders, the new Cyber Governance Code of Practice guidelines aim to ensure that cyber threat issues are a key focus for businesses, putting them on an equal footing with other threats like financial and legal pitfalls.
Within this, the UK government has recommended that directors set out clear roles and responsibilities across their organisations, boosting protections for customers and safeguarding their ability to operate safely and securely.
The government designed the code in partnership with the National Cyber Security Centre (NCSC), and looks to ensure that companies have detailed plans in place to respond to and recover from potential cyber-attacks. It is also encouraging organisations to ensure their employees possess adequate skills and awareness of cyber issues so they can work alongside new technologies in confidence.
The work is part of the government’s £2.6billion National Cyber Strategy to protect and promote the UK online.
Are financial services firms passing on the responsibility?
The news comes as threat detection and response provider, e2e-assure, reveals that 44 per cent of financial services organisations that fully outsource their cyber security operations say their provider is underperforming, as per its latest research.
Overall, e2e-assure found that 77 per cent of financial services organisations have experienced a cyber attack. Other figures also show that 32 per cent of firms have suffered a cyber breach or attack in the past year alone.
Outsourcing is currently the most popular solution for financial firms when it comes to their cyber security operations (45 per cent), compared with a hybrid approach (40 per cent) or managing everything in-house (12 per cent).
However, 33 per cent of organisations that outsource do not feel confident in their provider’s ability to act and respond to security incidences within 30 minutes of detection. Around 28 per cent feel their suppliers were escalating too many false positives, which can often occur with ‘out of the box’ setups that are not efficiently tuned to the environment they’re monitoring. This feeling could lead to a greater number of firms taking on the responsibility themselves.
With this in mind, it is clear that organisations and cyber defence providers alike need to strengthen their anti-fraud defences and take notice of the new governmental guidelines.
Time to introduce cyber risk ratings?
Now, the UK government is asking for opinions on the latest draft of the Cyber Governance Code of Practice from businesses of all sizes from all sectors.
Viscount Camrose, Minister for AI and Intellectual Property, said: “It is vital the people at the heart of this issue take the lead in shaping how we can improve cyber security in every part of our economy, which is why we want to see industry and business professionals from all walks coming forward to share their views.”
Dan Morgan, senior government affairs director for Europe and APAC at SecurityScorecard, suggests the need for including cyber risk ratings: “We urge the UK government to consider the mandatory inclusion or encouragement of cyber risk ratings in the final version of the Cyber Governance Code of Practice. Such a move will significantly contribute to the overall security and resilience of the UK’s digital economy.
“Cyber risk ratings offer an objective, quantifiable measure of an organisation’s cyber security posture, akin to a credit score for cyber health. These ratings are essential tools for directors and senior leaders to understand and mitigate cyber threats effectively.
“Our extensive research reveals a stark reality: 98 per cent of organisations engage with third parties that have experienced breaches. This statistic underscores the urgent need for robust and reliable methods to assess and monitor cyber risk.”
