The head of the Government’s National Cyber Security Centre (NCSC) today warned boards that they ‘need to get technical’ to understand the cyber risks facing their businesses.
At a speech delivered at the annual CBI Cyber Security conference, Ciaran Martin, the CEO of the NCSC, called on board members to rise to the cyber security challenge by improving their cyber security literacy.
In particular, Mr Martin stressed the importance of understanding the basics of cyber-attacks, cyber risks and cyber defences to be able to more effectively direct their organisation’s response to threats.
He also flagged the cyber security risks facing the UK from nation states – including Russia – as well as large-scale criminal cyber activity.
The five questions the NCSC is recommending boards ask are:
- How do we defend our organisation against phishing attacks?
- What do we do to control the use of our privileged IT accounts?
- How do we ensure that our software and devices are up to date?
- How do we ensure our partners and suppliers protect the information we share with them?
- What authentication methods are used to control access to systems and data?
David Morris, a technology risk assurance director from RSM said: ‘The NCSC has today set out some of the high level technical questions that boards should be asking in order to protect their businesses from cyber-attack.
‘All of these questions focus on the technology and process elements of implementing an effective cyber strategy. This is clearly important and there needs to be a continuous process of maintaining and monitoring systems to ensure they remain fit for purpose. However, people risk remains a key vulnerability and it’s likely that we will hear more about this when more detailed guidance is published later this year.
‘The NCSC also revealed some of the eye-watering costs suffered by businesses that fall victim to cyber-attack. For example, one company affected by last year’s NotPetya attack, had to take a hit of up to £250m as a result of having to install 4,000 new servers, 45,000 new PCs and 2,500 new applications.
‘Another consequence of a cyber breach is the risk of breaching the new General Data Protection Regulation (GDPR). Under GDPR, penalties for non-compliance can now reach up to €20 million or 4 per cent of annual global turnover – whichever is higher.
‘Following recent high-profile data loss incidents, we also beginning to see the emergence of class actions which seek to compensate consumers for inconvenience, distress and misuse of data. This puts even more financial pressure on businesses that have fallen victim.
‘Consumer behaviour is also likely to be affected. Research released by the CBI today found that almost 9 out of 10 people say businesses that protect their data will win their custom. The corollary must be that those that don’t protect data are bound to lose out.’