CyberKainos. Reading time: 4.5 minutes

In April, the UK’s National Cyber Security Centre (NCSC) introduced the Cyber Governance Code of Practice. This Code aims to improve the cyber resilience of UK organisations by providing boards and directors with structure and advice regarding the governance and management of cyber security risks.

The target audience itself is an interesting point. This is because in the Governments’ own recent Cyber Breaches Survey, just 27% of UK organisations say they have a board member with direct responsibility for cyber security.

This is a worryingly low figure when you consider that 50% of businesses reported some form of cyber security breach or attack in the last 12 months. The prevalence of attacks is even higher amongst medium businesses (70%) and large businesses (74%).

In truth, it is highly likely cyber-attack volume against UK commerce and infrastructure will have increased by the time the next survey is published. Boardrooms need to quickly appreciate that such a low level of representation is not sustainable.

The five core principles of the Cyber Governance Code of Practice

CyberKainos’ opinion is that The Cyber Governance Code of Practice is a comprehensive and important tool boards should take advantage of to help oversee and manage cyber risks within their organisations. The Code outlines five core principles:

1. Risk Management: Identifying and prioritising critical digital assets, conducting regular risk assessments, and integrating cyber security into overall enterprise risk management.
2. Cyber Strategy: Aligning cyber security strategies with business objectives, ensuring adequate resource allocation, and adapting to the evolving threat landscape.
3. People: Fostering a positive cyber security culture through clear policies, training, continuous learning, and awareness programs.
4. Incident Planning and Response: Developing and regularly testing plans and back-ups to respond to and recover from cyber incidents, incorporating lessons learned into future strategies.
5. Assurance and Oversight: Establishing governance structures with clear roles and responsibilities when it comes to cyber security, and ensuring regular monitoring and reporting on cyber security matters.

The importance of board-level cyber security engagement is highlighted

Historically, cyber security has been the responsibility of IT departments, with limited involvement or indeed interest from senior leadership. However, with the increasing frequency, sophistication, and impact of cyber-attacks, such as those launched against M&S, Harrods, and the Co-Op, the necessity for greater board-level engagement in cyber security governance has been clearly highlighted.

In the Code, The NCSC emphasises that cyber security should be treated as a critical business risk, not merely a technical issue. By adopting the Code, organisations can ensure that cyber security considerations are integrated into strategic decision-making processes, thereby enhancing overall resilience.

Implementing the five core principles

Risk Management: By identifying and prioritising critical digital assets, organisations can focus their resources on protecting the most vital components of their operations. Regular risk assessments ensure that emerging threats are promptly addressed, and mitigation strategies are updated accordingly. Risk can be managed in four ways: Avoid, control, accept, or transfer. An organisations’ board, using the information available should be accountable for determining their cyber security risk appetite and overall tolerance. They should also encourage effective communication of their stance across the organisation to help build a coherent and consistent cyber security culture.

Cyber Strategy: Aligning cyber security strategies with business objectives ensures that security measures support, rather than hinder, organisational goals. Adequate resource and investment is essential to allow for the development of capabilities and people to manage cyber threats effectively. Your cyber security strategy should be monitored and tracked just like your marketing or sales strategies, and be able to adapt whenever significant changes occur in the internal or external environment. Key strategic elements to guide executive-level planning include:

1 Setting the strategic approach for assessing and identifying potential threats and vulnerabilities

2 Defining priorities and principles for mitigating risks

3 Outlining objectives for incident response and recovery

4 Establishing governance frameworks that provide oversight and accountability for cyber security efforts

5 Embedding a commitment to security awareness as a strategic priority across the organisation

People: Phishing attacks that target employees via email remains the #1 attack vector, largely because of its low cost, low skill, low risk, and relative high success rate. Cultivating a cyber security-aware culture is essential for reducing human-related vulnerabilities. Training and awareness programs empower employees to recognise and respond to potential threats, thereby strengthening the organisations’ overall security posture. Remember, culture is an outcome of the right behaviours and actions, often driven by leadership and is not something that can be quickly altered. You can encourage behaviours that create the right cyber security culture such as focusing on positive changes including continuous improvement towards healthy password management, but changing culture itself is a gradual process.

Incident Planning and Response: Cyber security incidents can have a huge impact on an organisation in terms of cost, productivity, reputation, loss of customers and legal implications. The Board should have assurances that a Cyber Incident Response Plan (IRP) is in place. Having a well-defined and regularly tested incident response plan ensures you will be better placed to effectively address future cyber incidents. Post-incident reviews are critical in facilitating continuous improvement by incorporating lessons learned into future strategies.

Assurance and Oversight: Establishing clear governance structures with defined roles and responsibilities ensures accountability in managing cyber risks. Regular monitoring and reporting provide transparency and enable timely interventions when necessary. Independent external assurance provides organisations with an accurate assessment of their cyber resilience, ensures compliance with legal and regulatory standards, and measures them against established ‘best practices’ to instill stakeholder confidence. For organisations not in a position to spend upwards of £150,000 on a full time CISO to manage this, virtual CISO’s (VCISOs) provide a cost effective alternative.

Implementation: The big next step for organisations

The NCSC’s Cyber Governance Code of Practice represents a significant step towards enhancing the cyber resilience of UK organisations. In an era where cyber threats are pervasive and ever-evolving, adopting the principles outlined in the Code is not merely a regulatory compliance issue, but a strategic imperative for safeguarding organisational assets and ensuring continuity.

However, there are practical hurdles that do need to be considered.

Firstly, the fact remains that corporate budgets remain tight against an uncertain economic outlook, and there is a lack of trained people in the UK who are capable of implementing the recommendations put forward in the Code.

As a consequence, building an internal team with a wide range of skills and experiences is a tough task. This is especially true for small and medium-sized businesses. If this accurately describes your organisations’ existing position, why not reach out and start a conversation with CyberKainos? We can assist with the planning and implementation of all 5 core principles outlined in the Code and ensure your business processes and business operations have the necessary controls in place to be resilient against future ransomware attacks.

Secondly, the data from the Governments recent Cyber Breach Survey suggests the penny still needs to drop for a large number of business leaders that the threats against them are real and potentially severe. It should not take national news stories of cyber-attacks and resulting double digit share price drops to be the catalyst for opening eyes.

CEO’s and MD’s are briefed and highly informed on a range of important topics impacting their businesses. Just maybe a few more should add cyber security to their list.

To learn more about the Aegis platform or to book a demonstration please click here:

Contact:

CyberKainos

hello@cyberkainos.com

www.cyberkainos.com