The government is launching a code of practice relating to cyber governance for medium and large organisations, with the backing of the Institute of Directors.
Feryal Clark, cyber security minister, said the cyber governance code of practice sets out the “steps organisations should take to safeguard their day-to-day operations, while also securing the livelihoods of their workers and protecting their customers”.
She added: “A successful cyber attack doesn’t just have the potential to grind operations to a halt – it could drain millions from the bottom line.
“If we want to drive the economic growth which is fundamental to our Plan for Change, then we need to stand side-by-side with British business leaders as they face down that threat.”
The government seems to have put its faith in the cyber security of digital services to promote its Plan for Change.
Last week, Peter Kyle, secretary of state for science, innovation and technology, set out the terms of cyber security legislation that will be introduced to Parliament later in the year. He said the Cyber Security and Resilience Bill “will help make the UK’s digital economy one of the most secure in the world”. The bill will, he said, “boost the protection of supply chains and critical national services, including IT service providers and suppliers”.
© House of Commons
“If we want to drive the economic growth which is fundamental to our Plan for Change, then we need to stand side-by-side with British business leaders as they face down that threat”
Feryal Clark, DSIT
The proposals will mean more organisations and suppliers need to meet robust cyber security requirements, including datacentres, managed service providers and critical suppliers.
Regulators will require companies to report more incidents to help build a better picture of cyber threats and weaknesses in the national economy’s online defences.
The government will also have more flexibility to update regulatory frameworks. This could include extending the framework to new sectors or updating security requirements.
In support of the cyber governance code of practice announced by Clark, the chief executive of the National Cyber Security Centre, Richard Horne, said: “In today’s digital world, where organisations increasingly rely on data and technology, cyber security is not just an IT concern – it is a business-critical risk, on a par with financial and legal challenges.
“From my experience working alongside senior leaders across both private and public sectors, I’ve seen first-hand how robust cyber governance is essential to drive resilience, support growth and help to ensure long-term success.
“I urge all board members to engage with the new cyber governance resources and make cyber security an integral part of their governance. Cyber security is a leadership imperative.”
The government said the code has received backing from across UK industry, with organisations including the Institute of Directors, EY and Wavestone, a consultancy firm, welcoming it.
In support of its code, the Department for Science, Innovation and Technology (DSIT) said one-third of large businesses lack a formal cyber strategy and nearly half of medium-sized firms operate without an incident response plan.
It stated that 74% of large businesses and 70% of medium-sized firms have experienced attacks and breaches in the past year. Cyber threats cost the UK economy almost £22bn a year between 2015 and 2019, with significant knock-on effects on daily operations and organisations’ long-term reputation, according to DSIT.
The department said the code – developed in partnership with the National Cyber Security Centre (NCSC) and “industry leaders” – will be the foundation of a support package for businesses.
The NCSC will provide online training to help implement the code and has created a board toolkit that offers practical guidance.
Small businesses, which do not fall under the purview of the code, are encouraged to engage with the NCSC’s Small Business Guide and use the government’s Cyber Local scheme, which provides tailored funding at a regional level.