At the National Cyber Security Centre (NCSC) a key area of focus is to ensure that board members and senior leaders recognise the importance of cyber-resilience across their organisations.
Any CEO or board member who is still asking why they should concern themselves with cybersecurity need only look at the numerous examples in the media of cyberattacks on organisations, not least those involving ransomware. The potentially devastating impact of such attacks on an organisation’s operations demonstrates why cybersecurity should matter to boards and senior leaders. It’s not just the money the organisation might be asked to pay in a ransomware attack to recover data. It’s also the lost business, the reputational damage and the expense of investigating and recovering from the attack.
The reality is that every year many millions of pounds are lost to opportunistic cybercriminals targeting organisations across all sectors, looking for weaknesses in their defences. This threat cannot simply be ignored or left to technical experts. The vast majority of attacks are still based on well-known techniques, such as phishing emails, which can be defended against.
[See also: Small businesses urged to improve cybersecurity]
Fortunately, organisations are not alone in dealing with these threats, and the NCSC – which is a part of GCHQ – is here to help.
So what is it exactly we are asking of CEOs and boards? Board members don’t need to be technical experts but they do need to know enough about cybersecurity to have constructive conversations with their key staff and assure themselves that their defences are robust enough to mitigate their organisation’s highest priority risks. These should have the same prominence as financial or legal risks in board discussions. Crucially, cybersecurity is not just “good IT”: it underpins operational resilience and, when done well, enables an organisation’s digital activity to flourish.
At ncsc.gov.uk there is an extensive suite of guidance, products and services for technical leaders in medium to large organisations, including the NCSC’s 10 Steps to Cybersecurity, Exercise in a Box and Early Warning. And then there is the NCSC’s newly-refreshed Cybersecurity Board Toolkit, a free online resource designed to encourage productive discussions between the board and key stakeholders across the business.
The toolkit provides a general introduction to cybersecurity and helps boards to ensure that resilience is embedded throughout their organisation and integrated into organisational risk management.
Originally published in 2019, the toolkit proved very popular with boards and their feedback, together with input from non-executive directors and our industry contacts, will ensure it remains up to date, relevant and written in language that boards are familiar with. We have now updated it with new content including bite-sized videos, case studies from real life incidents, an executive summary and a podcast with contributions from industry leading voices – all designed to make it more engaging than ever before.
As all leaders will appreciate, good preparation is vital to success, and this is absolutely the case with cybersecurity: it protects the organisation and its customers and builds resilience. I encourage all board members to take time to read the toolkit, and use it to drive productive cybersecurity discussions between boards and key stakeholders in your organisation.