The British government is urging business leaders to enhance their defenses against cyberattacks, considering the threat as a significant business risk comparable to financial and legal challenges. A recent government survey revealed a lack of director involvement in cybersecurity, with only 30% of businesses having board members explicitly responsible for cybersecurity.
A draft Code of Practice, published on Tuesday, outlines key actions for senior executives and directors to bolster cyber resilience. Business leaders are invited to provide feedback on the practices until March 19.
While resilience has been a cornerstone of the UK government’s cybersecurity strategy, recent data from the Information Commissioner’s Office (ICO) indicates a surge in cyberattacks. The first three quarters of 2023 saw 874 ransomware attacks against British organizations, surpassing the 739 incidents recorded in the entire 2022.
The increase is attributed in part to the success of the ransomware-as-a-service ecosystem, lowering entry barriers for criminals to engage in disruptive attacks. The new code emphasizes the importance of companies having detailed plans to respond to and recover from cyber incidents.
The government clarified that the code would remain voluntary and not become statutory. It aims to align with existing regulatory obligations, acknowledging the complex and challenging nature of the regulatory environment. Key regulations such as the General Data Protection Regulation (GDPR) and the Network and Information Systems (NIS) Regulations are subject to ongoing changes. The UK GDPR is set for reform through the Data Protection and Digital Information Bill, pending parliamentary scrutiny. However, an update to the NIS regulations promised by the government was omitted from the King’s Speech last year, missing the opportunity for law updates before a general election.