Cyber threats should be prioritised as a key business risk

Targeted at executive and non-executive directors and other top-tier leaders, this Code seeks to elevate cyber security concerns to the same level of importance as financial and legal risks. It recommends assigning clear roles and responsibilities within organisations to enhance customer protection and secure operational safety and security.

A primary aspect of the Code, developed in collaboration with industry directors, cyber and governance experts, and the National Cyber Security Centre (NCSC), is to ensure that companies have comprehensive plans for responding to and recovering from potential cyber incidents. These plans should undergo regular testing for robustness, including a formal incident reporting system.

Additionally, the Code encourages organisations to provide their employees with the necessary skills and awareness about cyber issues, enabling them to confidently work with new technologies. The government is now inviting businesses of all sizes and sectors with an interest in cyber and governance matters to contribute their views on this draft Code, aiming to shape the future of enhanced cyber security in the UK.

Viscount Camrose, Minister for AI, and Intellectual Property, commented: "Cyber attacks are as damaging to organisations as financial and legal pitfalls, so it’s crucial that bosses and directors take a firm grip of their organisation’s cyber security regimes – protecting their customers, workforce, business operations and our wider economy.

“This new Code will help them take the lead in safely navigating potential cyber threats, ensuring businesses across the country can take full advantage of the emerging technologies which are revolutionising how we work.

“It is vital the people at the heart of this issue take the lead in shaping how we can improve cyber security in every part of our economy, which is why we want to see industry and business professionals from all walks coming forward to share their views.”

The UK's burgeoning cyber landscape promises significant benefits, including new working methods and job creation across all economic sectors – a key government priority. However, with the digital economy's growth, there's a need for practical actions and robust safeguards. The Cyber Governance Code of Practice is a critical step in how organisational leaders approach cyber risk, reinforcing the UK's status as a cyber power and safeguarding its economy.

This guidance is timely, as data shows nearly one-third (32%) of firms have experienced a cyber breach or attack in the past year. The rise in damaging ransomware attacks and malicious actors highlights the urgency of addressing cyber security vulnerabilities.

Today also sees the release of new statistics and analysis on the government’s Cyber Essentials scheme, which aids organisations in guarding against common cyber attacks. Organisations demonstrating key cyber security controls are awarded a ‘Cyber Essentials certificate’. In the past year, 38,113 certificates were awarded, with two in five (39%) of the UK's largest businesses now holding this recognition.

Further analysis of the Cyber Security Breaches Survey indicates that approximately two-thirds (66%) of businesses adhering to Cyber Essentials have a formal cyber incident response plan, in contrast to just 18% of non-compliant businesses.

Lindy Cameron, CEO of the National Cyber Security Centre, stated: “Cyber security is no longer a niche subject or just the responsibility of the IT department, so it is vital that CEOs and directors understand the risks to their organisation and how to mitigate potential threats.

“This new Cyber Governance Code of Practice will help ensure cyber resilience is put at the top of the agenda for organisations and I’d encourage all directors, non-executive directors, and senior leaders to share their views.

“Senior leaders can also access the NCSC’s Cyber Security Board Toolkit, which provides practical guidance on how to implement the actions outlined in the Code, to ensure effective management of cyber risks.”

To further assist organisations in enhancing their cyber security and clarify best practices, the government is also publishing its response to a call for views on software resilience and security. This aims to address software risks and bolster organisational resilience against cyber threats.

Recent high-profile cyber incidents, like the one impacting the NHS 111 service, underline the severe consequences of attacks on software and digital supply chains. The government's response proposes measures to empower those involved in software development, purchase, and sale to mitigate risk and prioritise the protection of software-reliant businesses and organisations. Software, being fundamental to nearly all business technology, from payroll management programmes to operating systems and advanced technologies like AI, is critical for business and organisational protection. This is a key aspect of the government's efforts to improve UK cyber resilience.

The plans include ensuring secure software development and maintenance, with better risk management and communication across supply chains. The government is collaborating with the industry to refine these proposals, from developing a software vendor code of practice to offering cyber security training for professionals.

The call for views, open until 19 March 2024, aims to ensure the new Code is easy to understand and implement, while identifying potential implementation barriers for organisations.

This initiative is part of the government’s £2.6 billion National Cyber Strategy, dedicated to protecting and promoting the UK online.