The UK government has published new draft cybersecurity guidelines for businesses. According to the Department for Science, Innovation and Technology, the new ‘Code of Practice on cyber security governance’ provides guidance for senior leaders on how best to protect their organisations from cyberattacks and recommends they treat the risk of such breaches as equal to legal and financial pitfalls. It forms part of the government’s £2.6bn National Cyber Strategy, though no new funding for law enforcement agencies to prosecute cybercrime was announced today.
“It’s crucial that bosses and directors take a firm grip of their organisation’s cyber security regimes – protecting their customers, workforce, business operations and our wider economy,” said the minister for AI and intellectual property, Viscount Camrose. “This new Code will help them take the lead in safely navigating potential cyber threats, ensuring businesses across the country can take full advantage of the emerging technologies which are revolutionising how we work.”
New UK cybersecurity guidelines for businesses encourage detailed post-breach planning
According to government statistics, almost a third of all UK businesses fell victim to cyberattacks or breaches in 2023. Written in collaboration with both private sector stakeholders and the National Cyber Security Centre (NCSC), the new cybersecurity guidelines for businesses encourage firms to reflect the seriousness with which they approach cybersecurity in their corporate hierarchy by creating roles with clear responsibilities for cyber-defence. Companies should also write detailed plans for responding to and recovering from breaches, engage in regular pen-testing, and institute regular cyber-awareness training for staff.
DSIT also touted the success of the government’s “Cyber Essentials” certification scheme, wherein businesses demonstrate their commitment to cyber-defence by instituting appropriate security contingencies. According to the government, 38,113 certificates were awarded to UK businesses last year, including two in five of its largest firms. Furthermore, its recent Cyber Security Breaches Survey found that 66% of organisations that signed up for the “Cyber Essentials” scheme had an incident response plan in place, compared to just 18% of firms that did not participate in the project.
The government added that it welcomes additional comments on its new cybersecurity guidelines for businesses, in addition to publishing a new call for views on software resilience and security. The latter, it said, “proposes steps to empower those who develop, buy and sell software to better understand how they can reduce risk, prioritising the protection of businesses and other organisations that are reliant on software for their day-to-day operations.”
ESET global cybersecurity advisor Jake Moore welcomed the publication of the new code of practice, arguing that SMEs will probably benefit the most from the guidelines. However, “for larger organisations,” he told Tech Monitor, “this will potentially be teaching them to suck eggs.”
Funding for law enforcement agencies to prosecute cybercriminals should not be neglected either, added Moore. Such investment “ should never slow down,” he said. “Since the introduction of the revitalised UK fraud squad in 2022, it is clear that this sort of financial intervention is key to the protection of UK businesses.”