Five key questions company boards must ask about their cyber security readiness
Experts in cyber security have published new guidance for Britain’s corporate leaders – including five key questions to answer – in order to understand the threats they face in cyber space, and to direct effectively their organisation’s response to them.
Specialists from the National Cyber Security Centre (NCSC), part of GCHQ, have emphasised that boards of big companies cannot outsource their cyber security risks and need to understand what their technical staff are doing if they are to prosper securely in the digital age.
In support of this, the NCSC has published the first in a suite of guidance to businesses, setting out five questions – grounded in expert technical guidance – that boards should ask about their company’s IT security.
The questions – and what to look for in responses – were proposed to board members at the CBI’s Cyber Security conference today by the NCSC’s chief executive Ciaran Martin. “Cyber security is now a mainstream business risk. So corporate leaders need to understand what threats are out there, and what the most effective ways are of managing the risks,” he said.
“But to have the plain English, business focussed discussions at board level, board members need to get a little bit technical. They need to understand cyber risk in the same way they understand financial risk, or health and safety risk. Our sample questions, which we’ve published in consultation with businesses, aim to equip board members to ask the right questions and begin to understand the answers.
“There is no such thing as a foolish question in cyber security. The foolish act is walking away without understanding the answer because that means you don’t understand how you’re handling this core business risk.”
The FTSE 350 Cyber Governance Health Check Report 2017 found that while 68% of boards have received no training to deal with a cyber incident and 10% have no plan in place to respond to one.
The five questions the NCSC is recommending boards ask are:
- How do we defend our organisation against phishing attacks?
- What do we do to control the use of our privileged IT accounts?
- How do we ensure that our software and devices are up to date?
- How do we ensure our partners and suppliers protect the information we share with them?
- What authentication methods are used to control access to systems and data?
These initial questions will form part of a broader toolkit released this winter to recognise and resolve gaps in boards’ knowledge. The questions and possible answers are designed as a starting point to help organisations begin effective discussions on cyber security.
NCSC guidance also tells boards how to distinguish “good answers from waffle” and encourages them to continue asking questions about how risks are managed.
Matthew Fell, CBI Chief UK Policy Director, said: “Cyber threats now pose one of the biggest risks to a company’s finances and reputation. Digital security can no longer be the sole responsibility of the IT team and companies recognise this.
“Business boards are stepping up to challenge of improving their cyber literacy, but firms recognise more progress is needed. The NCSC’s five question guide provides a great starting point for business boards to equip themselves against the ever-evolving cyber challenge.”
The NCSC has been working with boards as focus groups to determine what support is needed to ensure board members and staff who report to them are able to recognise threats, enable discussions and implement appropriate measures.
Jacqueline de Rojas, president of techUK and chair of the Digital Leaders Board, added: “Cyber security is no longer just the domain of the IT department. It can’t be delegated. Those around the board table must understand the constant and persistent cyber threat to their businesses and to educate themselves of the steps they need to take to ensure that they are cyber-resilient.
“That is why the NCSC toolkit, specifically aimed at board members, is an important development. It will help de-mystify concerns around cyber security, enabling senior executives to discuss their cyber risk appetite in a confident and proactive manner.
“techUK will continue to work with the NCSC to raise awareness of the toolkit in order to protect businesses both large and small in the UK.”
While primarily aimed at large companies, smaller businesses will be able to tailor the toolkit for their sector. The NCSC has also already published a cyber security Small Business Guide. It will be regularly updated to stay up-to-date and will be published for free on the NCSC website.
The pandemic has taught me how to share more – and I feel a better leader for it
As a young professional starting out in the tech sector 30 years ago, I thrived on the fast pace,constant change and demanding workload. I lived in London, Singapore and Australia…
We need to shout about our successes. Liz Fletcher on celebrating women in biotech
Throughout my career in biotechnology and life sciences, I have seen many women leading ground-breaking research studies in their fields of expertise. Yet, and I include myself in this, we…
Getting the best out of patient data is key to unlocking future health benefits in Scotland
It is important that clinicians’ voices are heard in the consultation around Scotland’s new health and care data strategy, which closes this week (12 August). Busy GPs like myself are the trusted…
How motherhood helped me be a better leader
Consider this an open letter to anyone I have worked with before I became a mother and before I fully understood how being a parent is actually a prized asset…
‘We cannot achieve our goals without entrepreneurs’ – Kate Forbes on vision for new ‘tech scaler’ network
From the very start of my ministerial career, I have had responsibility for the Scottish tech sector – and I can still say what I have said from the start,…
Finding a role in cyber was ‘tough’ for Cheryl Torano. Now she’s determined to help other women join an under-represented industry
When I decided to upskill to change careers at the age of 30 and dive into the digital world, I knew I would be starting out at the bottom of…
Why innovation and marketing are the perfect partners to make changes that matter￼
With the rapid evolution of traditional marketing and the appearance of digital marketing, technology and innovation has become part of any marketer’s life without the need of working for a…
Transitioning to a four-day week – CEO’s vow to strike a healthier balance in the workplace
I came to Scotland nearly 20 years ago from Ireland, with no contacts but a lot of determination. While Ireland will always be my home, Scotland has given me amazing…