The National Cyber Security Centre (NCSC) will launch fresh guidance for organisations as its CEO warned business leaders must embrace the technical detail of cyber security, or face a greater risk of attack.
Board-level members especially are duty-bound to ask questions, and engage with the technicalities of security, NCSC's Ciaran Martin warned, speaking at the Confederation of British Industry's (CBI's) fourth annual Cyber Security Conference.
The toolkit, which the GCHQ satellite organisation will roll out later this month, will provide guidance as to how business leaders can get to grips with a "mainstream business risk".
"People at board level need to understand the basics - and I stress, basics - of cyber attacks, cyber risks and cyber defences," Martin said in his keynote address.
"That's daunting, but it is doable. It's essential. And today is a significant moment in our efforts to equip the UK's major companies to do it."
Martin also trailed the toolkit with five key questions business leaders can ask their CIOs to ascertain a basic understanding of an organisation's security needs, saying "nodding to avoid feeling foolish can sometimes be the most foolish thing to do".
These questions involved phishing attacks, privileges for IT systems, software patching, assessing cyber risk in the supply chain, and the authentication methods employed across the company.
"No-one in government is asking you to make cyber security your top priority. Your core business is your top priority," he continued.
"We do expect you, however, to be good enough at cyber security to take care of the things you care about. And that means you have to understand what they are, and what you can do to protect yourselves. This means you need to be - at least a little bit - cyber literate."
Underlining boardroom-level ignorance, and a lack of expertise across organisations of all sizes, are several common misconceptions, he added.
These include the notion that security is too complex, that it is too sophisticated and therefore impossible to stop, and that attacks are only targeted thus being low risk.
"Cyber security is no longer just the domain of the IT department," said TechUK president Jacqueline de Rojas.
"It can't be delegated. Those around the board table must understand the constant and persistent cyber threat to their businesses and to educate themselves of the steps they need to take to ensure that they are cyber-resilient.
"That is why the NCSC toolkit, specifically aimed at board members, is an important development.
"It will help demystify concerns around cyber security, enabling senior executives to discuss their cyber risk appetite in a confident and proactive manner."
Business leaders attending the CBI's annual event, hosted in Canary Wharf, London, also heard a keynote from the deputy commissioner for operations at the Information Commissioner's Office (ICO), James Dipple-Johnstone.
Both Dipple-Johnstone and Martin's addresses were followed with several panel discussions centred on cyber security trends.
ComXo's managing director Andrew Try lamented boardroom complacency while discussing key threats and lessons for cyber security in 2019, on a panel also comprising representatives from BAE, BT, AIB and UCL.
"There's a woeful lack, at board, an appetite to fire drill practice complete outages, complete loss of data; really worst case scenarios," Try said.
"We just put a tick in the box and say it's mitigated. But you're never actually going to your organisation - pulling the plugs out - and saying 'right it's gone dark - what are you going to do about it?'
"Because of that you're not going to be ready if you do get hit by a Petya type attack or a ransomware attack. It completely disables you - not just a loss of data, but a loss of everything.
"And I think boards need to raise their awareness these can come from anytime, from anywhere. You cannot protect against them, but you can prepare what you're going to do if that were to happen."
The ICO's James Dipple-Johnstone, meanwhile, dedicated his speech to reassuring businesses his organisation will not be handing out massive fines if reasonable measures are taken - and that the principles outlined in the General Data Protection Regulation (GDPR) - are followed.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
ASUS, Cisco, Netgear devices exploited in ongoing Chinese hacking campaignNews Critical national infrastructure is the target of sustained attempts from state-sponsored hackers, according to Five Eyes advisories
-
Off-the-shelf ransomware is spurring a new era in the Ukraine warNews Experts agreed Russian forces could be overwhelmed, forced to use less sophisticated tools to meet the regime's demands
-
NCSC: “New class” of Russian cyber attackers seek to destroy critical infrastructureNews The cyber threat has been raised due to the heightened risk of ideologically driven cyber attacks from Russia-aligned adversaries
-
NCSC warns UK under state-sponsored spear-phishing attacks from Russia and IranNews The acceleration in spear-phishing campaigns last year coincided with the escalating conflict in Ukraine, according to the NCSC
-
NCSC founder details 'biggest regret' in underestimating organised cyber crimeNews In a rare public address, Martin also detailed his proudest achievement and how the idea for the NCSC came to be
-
Second Singtel subsidiary breach in a month sees customer and client data leakedNews The incident at Singtel subsidiary Dialog follows the earlier breach at Singtel-owned Optus, Australia's second-largest telco
-
UK, US condemn Iran for ‘unprecedented’ cyber attack against AlbaniaNews The Balkan nation has cut ties with Iran following the hack, which took down national infrastructure and exposed government information
-
Cyber attack on software supplier causes "major outage" across the NHSNews Unconfirmed reports suggest the attack may be ransomware-related, while the NHS contends with disrupted services on the 111 non-emergency line
