UK tells business leaders to ‘toughen up’ against cyberattacks

The British government has told business leaders to “toughen up” their protections against cyberattacks and prioritize the threat as a key business risk similar to financial and legal challenges.

It follows a government survey that identified “insufficient director involvement” in their organization’s cybersecurity, with just 30% of businesses having “board members or trustees explicitly responsible for cyber security as part of their job role.”

A draft Code of Practice published Tuesday is intended to set out “key actions” for senior executives and directors to take to strengthen their cyber resilience, and is soliciting these business leaders’ feedback on the practices until March 19.

Resilience has been a key pillar of the British government’s approach to the cybersecurity threat for years. Despite the work that has gone into this effort, cyberattacks appear to be reaching an all-time high.

According to the most recent tranche of security incident trends data released by the Information Commissioner’s Office (ICO), there were 874 ransomware attacks against British organizations in the first three quarters of 2023, a surge compared to the 739 incidents recorded throughout the entirety of 2022.

But the simple measure of how many data breaches from ransomware attacks were reported to the ICO does not reflect the more complex effects of cyberattacks, from their impact on productivity through to the serious psychological harms they can pose to victims.

The increase in the volume of attacks is believed to be driven at least in part by the successes of the ransomware-as-a-service ecosystem, which is lowering the bar for entry for criminals to engage in disruptive attacks.

One of the new code’s key aspects is ensuring that companies “have detailed plans in place to respond to and recover from any potential cyber incidents.”

Officials in Britain have stressed the importance of recovery from an incident, as well as organizations having sufficient defenses to prevent incidents from occurring.

The government said on Tuesday that the code of practice would ultimately remain voluntary and would not be put on a statutory footing, although it would “support and align with a number of existing regulatory obligations.”

Business leaders told the government that they found the regulatory environment “complex and challenging to navigate.”

The key regulations — the General Data Protection Regulation (GDPR) and the Network and Information Systems (NIS) Regulations — are continuing to change. The U.K. GDPR is currently set to be reformed by the Data Protection and Digital Information Bill, although the nature of the changes are subject to scrutiny by parliament.

Meanwhile, an update to the NIS regulations that the government promised to bring forward was dropped from the King's Speech last year, meaning the government missed its last opportunity to actually update the laws before a general election.