Last month, the UK government addressed a letter to all CEOs and Chairs or leading UK companies emphasising that hostile cyber activity is increasing in frequency, sophistication, and impact. It also stated that cyber resilience is a critical enabler of economic growth and that organisations recover better when they have planned and rehearsed for worst-case disruption.

Although it references services and bills that are UK centric, there are some interesting points and information that could be considered and/or used in any country.

The letter asks companies to take three specific actions:

• Make cyber risk a Board-level priority by using the Cyber Governance Code of Practice.
• Sign up to the Early Warning service of the National Cyber Security Centre (NCSC) – a free service giving early alerts of potential attacks on your network. Your country may offer a national CERT service that is similar and if not but it could also be replaced with a commercial offering (CTI service)
• Require Cyber Essentials certification in supply chain (and implement its controls on your own systems) – this scheme certifies a minimum standard of cyber controls. – In countries where such a scheme does not exist, this could be a requirement for them to be certified against certain frameworks (i.e.: NIST, ISO 27002, etc) of from a derived set of requirements from those frameworks.

The letter underlines that large-scale disruption from cyber-attacks can damage operations, profitability, customer trust and more. It emphasises that even if all attacks cannot be prevented, robust planning, response and recovery capability is essential.

It calls for collaboration between business and government and indicates upcoming regulatory developments (such as a “Cyber Security and Resilience Bill”). For Banks, the BOM has started a similar initiative, and they are also reaching out to other industries.

Finally, it also provides several links to some useful resources that are mostly free and well presented. If your company wants to create/update your Cyber Security Governance, that website and its resources could be of use.

Direct Link to that letter:
Letter on the gov.uk website