NCSC targets business leaders with cyber security toolkit

boardroom filled with people's silhouettes sat around a large table
(Image credit: Shutterstock)

The National Cyber Security Centre (NCSC) is hoping to raise the level of cyber security awareness among the most senior members of UK organisations to combat the wave of threats their businesses face.

Its new Board Toolkit, which specifically targets board members, company executives, and trustees, presents a general introduction to cyber security, and several sections that explore specific aspects of cyber security. It aims to encourage discussion about cyber security between organisations' boards and their technical experts and chief information security officers (CISOs).

Each of these sections outline what the cyber security aspect is, why it's important to board members, and recommends what they should be doing when faced with any particular flavour of cyber threat.

This material is presented via a combination of text, infographics, bullet-pointed checklists, and interactive elements. This is also packaged with an appendix of key legal and regulatory aspects, such as the General Data Protection Regulation (GDPR) and the Network and Information Systems (NIS) Directive.

"Good cyber security protects that ability to function, and ensures organisations can exploit the opportunities that technology brings," the toolkit says. "Cyber security is therefore central to an organisation's health and resilience, and this places it firmly within the responsibility of the Board.

"New regulations (such as GDPR) as well as high profile media coverage on the impact of cyber incidents, have raised the expectations of partners, shareholders, customers and the wider public. Quite simply, organisations - and board members especially - have to get to grips with cyber security."

The NCSC's board-level toolkit has also been released six months after its CEO Ciaran Martin challenged business leaders to urgently learn the "basics" of cyber security for the sake of their organisations.

Speaking at the CBI's four annual cyber security conference in September, Martin trailed the toolkit with a list of five basic questions business leaders can ask CIOs to gain a basic knowledge of their organisation's security needs. He added that "nodding to avoid feeling foolish can sometimes be the most foolish thing to do".

The material's release coincides with a recent government report highlighting worries that board-level executives at some of the UK's largest firms still don't understand the impact of cyber security.

The annual Cyber Governance Health Check found that less than 16% of boards of FTSE 350 companies had a comprehensive understanding of the impact of a cyber attack. This is despite 96% of these firms having a cyber security strategy in place.

The toolkit has been put together with input from a range of board from different sectors within the UK, as well as their CISOs. The material aims to put organisations' boards in a much better position to take proactive steps to avoid attacks in the first place.

"A common issue in the UK boardroom has been that cyber is delegated to the IT department and does not rise to the surface as a priority until a breach has occurred," said the president of techUK Jacqueline de Rojas.

"Given that a cyber attack is no longer an 'if' but more likely a 'when', board members need help with guidance on what to protect and how to go about it."

Business leaders shouldn't feel compelled to read the material in a single sitting, according to the NCSC, rather it's designed for them to dip in and out of.

Various topics embedded in the materials include growing cyber security expertise, embedding cyber security in an organisation's structures and objectives, and collaborating with suppliers and partners.

The toolkit also advises business leaders on how to handle the fallout after suffering a cyber incident, with its key recommendation being to drive a "no blame" culture. By not blaming any individual, the NCSC says, organisations will gain clearer analysis and insights to help prevent future cyber incidents.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.