show image

NCSC issues new advice for business leaders as Ciaran Martin admits previous guidance was “unhelpful”

The government is calling on board members to take responsibility for their organisations’ cyber security, as the threat from nation state hackers and cyber criminal gangs continues to rise.

Speaking at the CBI today (12 Oct), Ciaran Martin, the head of the National Cyber Security Centre, will urge business leaders to “get a little bit technical” in order to ensure their businesses’ cyber defences are fit for purpose.

“Cyber security is now a mainstream business risk,” Martin will tell the confederation. “Corporate leaders need to understand what threats are out there, and what the most effective ways are of managing the risks. They need to understand cyber risk in the same way they understand financial risk, or health and safety risk.”

The intervention comes as new research by NCSC reveals that only a third of boards have received training to deal with a cyber incident and 10 per cent still have no plan to respond to one.

In an interview with the BBC this morning, Martin admitted that some of NCSC’s advice in the past had been “frankly unhelpful and hard to follow”.

“We’ve told people they should be able to recognise a fake email,” he told Radio 4’s Today Programme. “Now some fake emails are easy to spot and we’ve all spotted them, but some are extremely difficult.

“My technical director is a world-renowned cyber security expert who can read code as well as anybody on the planet, but a particular email was so sophisticated that apart from one tiny mistake which he admits he was lucky to spot, he’d have opened it.

“What’s the lesson from that? You can’t base organisational responses on the basis that you can teach people who receive hundreds if not thousands of emails a day to spot the dodgy one.”

In a bid to simplify its guidance, NCSC has published a series of five questions for board members to assess their organisation’s level of cyber risk. One such question is: “How do we defend our organisations against phishing attacks?”

“Our sample questions today, which we’ve published in consultation with businesses, aim to equip board members to ask the right questions and begin to understand the answers,” Martin will tell the CBI.

“There is no such thing as a foolish question in cyber security. The foolish act is walking away without understanding the answer because that means you don’t understand how you’re handling this core business risk.”

The initial questions will form part of a toolkit for board members, which NCSC intends to publish this winter. Jacqueline de Rojas, president of techUK and chair of the Digital Leaders Board, said cyber security is “no longer just the domain of the IT department” and described the toolkit as “an important development”.

The five questions the NCSC is recommending boards ask are:

  1. How do we defend our organisation against phishing attacks?
  2. What do we do to control the use of our privileged IT accounts?
  3. How do we ensure that our software and devices are up to date?
  4. How do we ensure our partners and suppliers protect the information we share with them?
  5. What authentication methods are used to control access to systems and data?

Martin’s speech comes just days after British Airways revealed it had suffered a huge data breach. The company confirmed that around 380,000 payment transactions had been compromised, exposing customers’ names, email addresses and payment details.

Quizzed about the nature of the attack on the Today Programme, Martin refused to disclose what his team had learnt so far about the incident, noting that it was still under police investigation.

It is not yet clear if the data was intercepted by cyber criminals or nation state actors, but it is feared that both kinds of attacks are on the rise. In April, NCSC warned that British businesses were facing more cyber attacks than ever before.