Retail cyber attacks: boards must engage more with cyber security, government urges UK businesses

The high-profile cyber attacks we’ve seen over the past month are a reminder of our reliance on technology, and that cyber security is not a luxury - it’s an absolute necessity.

We all need to be aware of cyber security risks and be taking action to address them – especially those working in insurance and risk.

Embracing digital technologies, including artificial intelligence, is already unlocking significant benefits for the UK’s economy and society, supporting growth and innovation. They are enhancing business efficiency and continuity, whilst fostering greater connectivity among citizens. 

That is why the government is committed to making the UK an attractive place for both investment and adoption of these technologies. However, as recent events have shown, disruption to the technologies we rely on can cause harm to both businesses and citizens.

UK: third most targeted country

The UK faces a cyber threat which is increasing in frequency, sophistication and intensity. 43% of businesses suffered a cyber breach or attack in the past year, highlighting the need for companies to take effective action to protect themselves.

At this year’s CyberUK conference, Cabinet Office minister Pat McFadden said cyber attacks are “the digital version of an old-fashioned shake down” which “damage and extort good businesses”.

The threat the UK faces has become difficult to ignore in recent weeks, with household names like M&S, the Co-op and Harrods all the subject of costly and disruptive cyber incidents.

These incidents are not one-offs. The UK is the third most cyber-targeted country after the US and Ukraine, with over 600,000 businesses estimated to have suffered a breach or attack in the last year.

These recent high-profile attacks demonstrate that no organisation, public or private, can ignore cyber security risk with threats continuing to grow at pace. That means cyber security can no longer be an afterthought – it’s essential.

This government is serious about addressing the growing risk posed by cyber criminals and hostile states. That is why the Cyber Security and Resilience Bill will be delivered in the first session of parliament and will strengthen the UK’s cyber defences in energy, water, transport, health and digital infrastructure, as well as the tech services they rely upon.

Cyber resilience starts with strong leadership

While the Cyber Security and Resilience Bill will better protect our essential services, the government is also taking action to improve cyber resilience across supply chains and the wider economy.  We know the vast majority of cyber attacks exploit basic weaknesses in our devices and IT systems. That’s why it is essential we focus on getting the basics right.

This starts with strong leadership.  It’s crucial that boards and senior leaders are sufficiently engaged and informed to take key decisions on how their organisations are managing digital risks.

The Department for Science, Innovation and Technology (DSIT) recently published a Cyber Governance Code of Practice to help boards and directors protect their businesses from cyber criminals.

The Code of Practice, which was developed in partnership with the National Cyber Security Centre (NCSC) and industry leaders – including in consultation with Airmic – outlines the critical governance areas directors need to take ownership of.

The Code is designed to be simple to engage with and includes fundamental actions such as gaining assurance that risk assessments are regularly conducted; developing, testing and reviewing incident response plans; and building a culture of cyber security awareness.  All medium and large organisations should be taking these actions.

Government’s cyber security toolkit available to all businesses

The Cyber Governance Code is underpinned by the NCSC’s Cyber Governance training which supports boards and directors to implement the Code, and a detailed Board Toolkit with further practical guidance and resources.

The government also supports Cyber Essentials, a certification scheme which helps organisations, regardless of size, improve their cyber resilience and protect themselves against the most common internet-based threats with five basic technical controls. 

Cyber Essentials is highly effective at preventing attacks: recent insurance data shows that organisations with Cyber Essentials are 92% less likely to make a claim on their insurance than those without it.

The Cyber Governance Code of Practice and Cyber Essentials are part of a wider package of guidance and tools created by the UK government, alongside the NCSC, that set out best practice and can be used for any organisation. This guidance includes a collection of Codes of Practice setting minimum cyber security expectations, a free online training package for staff, and a free cyber action plan for small businesses.

Almost all companies are reliant on access to digital systems and use of digital technologies to retain competitive advantage, generate value and maintain business continuity.

For this reason, it’s crucial that boards and directors prioritise and manage cyber security risk as a principal business risk – one that demands oversight and proactive management. Building organisational resilience and ensuring the ability to recover swiftly from cyber incidents must be a top priority.