NCSC targets business leaders with cyber security toolkit

New material is released six months after its CEO urged the c-suite to learn the very “basics” of cyber security

Board members round a table

The National Cyber Security Centre (NCSC) is hoping to raise the level of cyber security awareness among the most senior members of UK organisations to combat the wave of threats their businesses face.

Its new Board Toolkit, which specifically targets board members, company executives, and trustees, presents a general introduction to cyber security, and several sections that explore specific aspects of cyber security. It aims to encourage discussion about cyber security between organisations' boards and their technical experts and chief information security officers (CISOs).

Each of these sections outline what the cyber security aspect is, why it's important to board members, and recommends what they should be doing when faced with any particular flavour of cyber threat.

This material is presented via a combination of text, infographics, bullet-pointed checklists, and interactive elements. This is also packaged with an appendix of key legal and regulatory aspects, such as the General Data Protection Regulation (GDPR) and the Network and Information Systems (NIS) Directive.

Advertisement - Article continues below
Advertisement - Article continues below

"Good cyber security protects that ability to function, and ensures organisations can exploit the opportunities that technology brings," the toolkit says. "Cyber security is therefore central to an organisation's health and resilience, and this places it firmly within the responsibility of the Board.

"New regulations (such as GDPR) as well as high profile media coverage on the impact of cyber incidents, have raised the expectations of partners, shareholders, customers and the wider public. Quite simply, organisations - and board members especially - have to get to grips with cyber security."

The NCSC's board-level toolkit has also been released six months after its CEO Ciaran Martin challenged business leaders to urgently learn the "basics" of cyber security for the sake of their organisations.

Speaking at the CBI's four annual cyber security conference in September, Martin trailed the toolkit with a list of five basic questions business leaders can ask CIOs to gain a basic knowledge of their organisation's security needs. He added that "nodding to avoid feeling foolish can sometimes be the most foolish thing to do".

The material's release coincides with a recent government report highlighting worries that board-level executives at some of the UK's largest firms still don't understand the impact of cyber security

The annual Cyber Governance Health Check found that less than 16% of boards of FTSE 350 companies had a comprehensive understanding of the impact of a cyber attack. This is despite 96% of these firms having a cyber security strategy in place. 

Advertisement - Article continues below

The toolkit has been put together with input from a range of board from different sectors within the UK, as well as their CISOs. The material aims to put organisations' boards in a much better position to take proactive steps to avoid attacks in the first place.

"A common issue in the UK boardroom has been that cyber is delegated to the IT department and does not rise to the surface as a priority until a breach has occurred," said the president of techUK Jacqueline de Rojas.

"Given that a cyber attack is no longer an 'if' but more likely a 'when', board members need help with guidance on what to protect and how to go about it."

Business leaders shouldn't feel compelled to read the material in a single sitting, according to the NCSC, rather it's designed for them to dip in and out of.

Advertisement - Article continues below

Various topics embedded in the materials include growing cyber security expertise, embedding cyber security in an organisation's structures and objectives, and collaborating with suppliers and partners.

The toolkit also advises business leaders on how to handle the fallout after suffering a cyber incident, with its key recommendation being to drive a "no blame" culture. By not blaming any individual, the NCSC says, organisations will gain clearer analysis and insights to help prevent future cyber incidents.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
cyber security

If not passwords then what?

8 Jan 2020
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020