Out-Law / Your Daily Need-To-Know

UK organisations urged to improve cyber resilience

Out-Law News | 01 Feb 2022 | 12:02 pm | 3 min. read

UK organisations should apply security patches for their systems, develop an effective incident response plan, and test their online defences, the National Cyber Security Centre (NCSC) has advised.

The recommendations form part of a package of actions the NCSC said businesses and public sector bodies should take to remain cyber resilient when the cyber threats they face are heightened.

Davey Stuart

Stuart Davey

Partner

Those organisations which have considered cyber risks proactively are able to respond more effectively to an incident

Paul Chichester, NCSC director of operations, said: “The NCSC is committed to raising awareness of evolving cyber threats and presenting actionable steps to mitigate them. While we are unaware of any specific cyber threats to UK organisations in relation to events in Ukraine, we are monitoring the situation closely and it is vital that organisations follow the guidance to ensure they are resilient.”

Chichester said that recent cyber incidents observed in Ukraine “bear the hallmarks of similar Russian activity we have observed before” 

The NCSC’s updated guidance has been issued at a time when the NCSC is warning of the potential cyber threat UK organisations could face if “recent malicious cyber incidents in Ukraine” escalate.

Cyber risk expert Stuart Davey of Pinsent Masons said: “The NCSC’s advice for organisations to invest in preparing incident response plans may be gaining some traction: we are increasingly seeing our clients seeking advice to help develop their cyber readiness programmes. This includes work to understand obligations in the event of a cyber incident, and we are helping our clients develop incident response plans, including through our cyber response plan solution, Cyturion. We find that those organisations which have considered cyber risks proactively are able to respond more effectively to an incident.”

Early results from a three-year longitudinal study by the UK government, which aims to track changes in the cyber resilience of UK businesses and charities over time, has identified a need for action on cybersecurity.

An Ipsos MORI survey of more than 1,200 UK businesses and 500 charities, conducted on behalf of the government over a four month period to 7 July 2021, found that just 23% of businesses had used information or guidance from the NCSC to inform their approach to cybersecurity over the previous 12 months. Only 19% of businesses said they had adopted government-backed cybersecurity standards under the ‘Cyber Essentials’ scheme.

The survey also found that 60% of businesses said they had not formally assessed or managed the potential cyber risks in their supply chains within the 12 months prior to being surveyed, and that just 51% of businesses have written policies for managing cybersecurity incidents.

The UK government also recently published a government cybersecurity strategy, which aims to ensure that “core government functions … are resilient to cyber attack”. The government’s central objective for the strategy is “for government’s critical functions to be significantly hardened to cyber attack by 2025, with all government organisations across the whole public sector being resilient to known vulnerabilities and attack methods no later than 2030”.

Under the strategy, government departments will need to evaluate the extent to which they are appropriately managing the cyber risks specific to their functions, with reference to a cyber assessment framework developed by the NCSC.

The strategy also envisages the centralisation of the way the government defends itself against cyber attacks. A Government Cyber Coordination Centre (GCCC) is to be set up “to better coordinate operational cyber security efforts, transforming how cybersecurity data and threat intelligence is shared, consumed and actioned across government”.

Government suppliers will also be subject to new supply chain cybersecurity principles, and they will be expected to “provide transparent statements of adherence” to those principles, according to the strategy.

The government said: “Cybersecurity requirements in government procurement frameworks and contracts will be strengthened, ensuring that commercial arrangements are risk based and consistent with robust clauses relating to the identification and management of subcontractors. This will make it easier to procure tools and services with appropriate security by default.”

Separately, EU financial regulators have endorsed the proposed development of a pan-European systemic cyber incident coordination framework. The establishment of the framework has been recommended by the European Systemic Risk Board (ESRB), the body responsible for the macroprudential oversight of the financial system within the EU.

The ESRB said the framework would help bridge “any coordination and communication gaps” within existing mechanisms for coordination between different authorities and help to ensure there is “effective Union-level coordinated response in the event of a cross-border major cyber incident or related threat that could have a systemic impact on the Union’s financial sector”.

In a joint statement, the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) said that with “constantly evolving” cyber threats, there is “the need for authorities to coordinate and communicate swiftly in the event of a major cyber incident, to rapidly assess its impact and to support confidence in the financial sector”.

ENISA, the EU’s cybersecurity agency, recently published a new report designed to help organisations implement the principles of data protection by design and by default in practice.

Russia-Ukraine crisis
Russia's invasion of Ukraine in February 2022 shocked the world and had immediate economic and political consequences. We track and analyse the implications of the situation as it develops.
Russia-Ukraine crisis