UK government gets tough on security obligations with new cyber ‘code of practice’

Westminster Parliament, home of the UK government, pictured during the day time with UK flag flying in background
(Image credit: Getty Images)

The UK government has launched a draft code of practice on cyber security governance in a bid to encourage firms to prioritize cyber threats as a key business risk. 

Officials have called for feedback on the proposed Cyber Governance Code of Practice, which is aimed at executive and non-executive directors and other senior leaders.

The code recommends treating cyber security issues as just as much of a key focus as financial and legal pitfalls, urging leaders to set out clear roles and responsibilities across their organizations, boosting protections for customers and safeguarding their ability to operate safely and securely.

"Cyber attacks are as damaging to organizations as financial and legal pitfalls, so it’s crucial that bosses and directors take a firm grip of their organization’s cyber security regimes - protecting their customers, workforce, business operations and our wider economy," said minister for AI and intellectual property, Viscount Camrose.

"This new code will help them take the lead in safely navigating potential cyber threats, ensuring businesses across the country can take full advantage of the emerging technologies which are revolutionizing how we work."

A major focus of the code is the ability to respond to and recover from any potential cyber incidents, with plans regularly tested so they're as robust as possible, and with a formal system for reporting incidents also in place.

It also urges organizations to give employees the skills and awareness of cyber issues they need to work with new technologies in confidence.

The government is calling on businesses of all sizes from all sectors to share their opinions on the draft code.

"It is vital the people at the heart of this issue take the lead in shaping how we can improve cyber security in every part of our economy, which is why we want to see industry and business professionals from all walks coming forward to share their views," Camrose said.


A whitepaper from SecurityScorecard on how to best mitigate third party risk

(Image credit: SecurityScorecard)

Discover a verification framework for DORA


The draft code is a response to the fact that almost one-in-three UK firms have suffered a cyber breach or attack in the past year, with a sharp rise in ransomware attacks recorded against businesses.

Kevin Curran, IEEE senior member and professor of cyber security at Ulster university, welcomed the move as a positive step to ensure organizations across the country focus their efforts on mitigating growing cyber threats.

"The threat landscape is constantly evolving, so organizations need to keep pace and ensure that they regularly reviewing and upgrading their defenses,” he said.

“Some approaches that worked just a few years ago are now obsolete and attackers change their profile far quicker now, so it is incredibly difficult to identify which packet requests are nefarious.

"Moving forwards, senior management must have a more holistic understanding and approach to cybersecurity and IT departments must be able to maintain proficient security protocols or policies for years to come. Inevitably, this means increasing the amount of IT security staff and ensuring all staff are sufficiently trained, even if just basic cyber skills."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.