WIREDGOV

Toolkit being produced by the NCSC to support boards and businesses with cyber incidents.

• Toolkit to support boards being developed by National Cyber Security Centre, part of GCHQ
• Boards urged to pass on feedback to help mould toolkit, due to be published later this year
• CEO Ciaran Martin makes announcement to “deliver the expert guidance boards tell us they need” at the Times CEO Summit 2018
• NCSC also announce two-year research programme to better understand and support boards

Boards of major companies will better understand and prepare for cyber threats after expert advice is published for them later this year, it was announced yesterday (26 June). 

Speaking at the Times CEO Summit 2018, National Cyber Security Centre (NCSC) Chief Executive Officer Ciaran Martin said the organisation is working with businesses to recognise and resolve gaps in boards’ knowledge through the production of a free toolkit. 

The FTSE 350 Cyber Governance Health Check Report 2017 found that while 31% of boards receive comprehensive and informative management information on cyber risk, 68% have received no training to deal with a cyber incident and 10% of boards have no plan in place to respond to one. 

New General Data Protection Regulation (GDPR) laws were created on 25 May, meaning companies face significant fines if they do not collect, use and store people’s personal data correctly. 

The NCSC has been working with boards as focus groups to determine what support is needed to ensure board members and staff who report to them are able to recognise threats, enable discussions and implement appropriate measures.

Ciaran Martin, Chief Executive Officer of the NCSC, said: 

“The toolkit will deliver the expert guidance boards tell us they need to ensure cyber security is on their agenda. The consultations so far have included several major companies, and we would encourage any businesses to send their thoughts on how the toolkit could best help them.

“Questions over cyber vulnerabilities should be as robustly discussed at a board level as physical security or financial risks. We are committed to working with boards to ensure this happens.

“Once the toolkit is published later this year, we hope it produces a common set of guidance that will act as a core reference library and ensure there are no barriers preventing UK boards from preparing for cyber threats.” 

Any businesses who want to have their voices heard can give their feedback to the NCSC by sending an email to enquiries@ncsc.gov.uk.

While primarily aimed at large companies, smaller businesses will be able to tailor it for their particular sector. The NCSC has also already published a cyber security Small Business Guide. The toolkit will be regularly updated to stay up-to-date and will be published for free on the NCSC website.  

The NCSC is also collaborating with the Research Institute in Science of Cyber Security (RISCS) on a two-year research programme to understand more about how to support boards in managing cyber risk. The outcomes of this research will inform the NCSC’s future work in this space.

Ciaran Martin added:

“This is not about dictating how boards should implement cyber security - we want to help companies implement the best approach for their specific organisation. 

“We also want our toolkit to be useful to those feeding into the board, such as IT workers. By putting the risks in the same language and framework as broader business risks, we hope to help them have more effective discussions with the board members at their companies.” 

Feedback from focus groups that existing guidance on cyber security is too dense to grasp means the toolkit will likely offer a concise and easy-to-understand introduction to threats that links readers to more detailed discussion on items pertinent to their organisation. 

Research for the toolkit started last winter and has included one-to-ones, working groups and workshops with external stakeholders and partners. A key partner in the work to date has been techUK.

Jacqueline de Rojas, President of techUK, said: 

“Cyber security is no longer just the domain of the IT department.  Those around the board table must understand the constant and persistent cyber threat to their businesses and to educate themselves of the steps they need to take to ensure that they are cyber-resilient.

“That is why the NCSC toolkit, specifically aimed at board members, is an important development.  It will help de-mystify concerns around cyber security, enabling senior executives to discuss their cyber risk appetite in a confident and proactive manner.

“techUK will continue to work with the NCSC to raise awareness of the toolkit in order to protect businesses both large and small in the UK.”

Notes to editors 

• The UK Government is fully committed to defending against cyber threats and address the cyber skills gap to develop and grow talent  as part of the five year National Cyber Security Strategy (NCSS), supported by £1.9 billion of transformational investment. 
• The NCSC was created in October 2016 as part of the NCSS. It provides a single, central body for cyber security at a national level and is the UK’s technical authority on cyber. It manages national cyber security incidents, carries out real-time threat analysis and provides tailored sectoral advice. 
• GCHQ is the parent body for the Centre, meaning that it can draw on the organisation’s world-class skills and sensitive capabilities. 
• Any businesses who want to have their voices heard can give their feedback to the NCSC by sending an email to enquiries@ncsc.gov.uk.
• For the toolkit, internal research has included: 
  • Reviewing CPNI’s previous ‘Board briefing’ service for lessons identified as well as the CPNI Passport. 
  • 1-2-1s with members of an informal cross-NCSC working group.  
  • Reviewing the RISCS 2-year Supporting the Board research aims and objectives. 
  • Identifying relevant feedback coming out of the Leadership strand at CYBERUK.