A key tenet of the new National Cyber Strategy is a “whole of society” approach, which increases the emphasis on the role that both organisations and citizens have in working alongside the government to protect the nation from cyber threats.
Plenty of enterprises – and particularly those that provide elements of critical national infrastructure (CNI) – have been clear about their responsibility in this space for many years. However, as cyber attacks increasingly disrupt businesses, individuals and the wider economy, there is recognition of the need to broaden the onus for action.
The aim is that everyone benefits from the new strategy, having also played a part in its implementation. Organisations that don’t already think of themselves as an integral part of society now need to do so rather than believe themselves to be an individual entity, and look at their role in fighting cyber criminals. This requires starting from a strong base, confirming their own house is in order by ensuring the security of their networks and information systems, and vigilance of their teams.
Ultimately, the strategy should identify a common methodology for managing cyber security risks. The consistency will foster efficiency across all organisations, and support the collaboration required to facilitate the exchange of threat and risk information across inter-dependent systems.
To achieve this, the strategic objectives have been broken down into five pillars for implementation.
Pillar 1: Strengthening the UK’s cyber ecosystem
This supports the “whole of society” approach. It aims to drive understanding within organisations as well as build the relationships and trust that are both key to the direction the UK is taking.
With more open dialogue between the enterprise, government and academia, organisations will have opportunities to be involved in the conversation. By being in a position to offer valuable insight into the challenges, they will potentially be able to shape policy that supports them.
From an intra-industry perspective, collaboration will encourage players in the same field to connect and share cyber defence strategies offering mutual benefit, using this to build a network of deterrents preventing cyber attacks targeting their sector or organisations of a similar size. Equally, knowledge sharing across industries will be vital to broaden skillsets in order to tackle real-world threats as they evolve.
This pillar also covers the cyber skills, services, and products that will help organisations improve their defensive posture. The importance of cyber security skills and awareness in protecting and securing data and systems is increasingly well-understood. Many enterprises already have extensive expertise in the area, making them well-placed to advise the government and individuals. Incorporating the fight against cyber criminals into corporate social responsibility (CSR) programmes could formalise the process of knowledge sharing.
Pillar 2: Building a resilient and prosperous digital UK
Here, the emphasis is on developing resilience by first understanding and then appropriately managing cyber risk. It builds on the previous pillar with the ability to identify cross-cutting and systemic risks, guide priorities, and drive business cases for risk reduction activities.
Organisations will again benefit from the sharing of insights and common threats, as well as the progress of risk reduction in different sectors. Some of these sectors (CNI, for example) can expect more regulations detailing their responsibilities and the appropriate actions required to manage cyber risk.
However, management of cyber risk and defensive measures will never stop all cyber attacks, and this pillar also discusses the importance of responding to and recovering from an attack.
The government will be looking to improve its coordination of cyber incidents that have a national impact. Organisations should aim to support those efforts, with activity including the early reporting of breaches they believe may be of national significance (with this linking back to building the relevant relationships and trust outlined in pillar 1).
Pillar 3: Taking the lead in the technologies vital to cyber power
The third pillar suggests increased investment in the UK’s technology sector. This is good news for businesses that build cutting-edge technologies, but over time all organisations will benefit from the technological advances, which will need to be secure-by-design and developed to sufficient standards.
Emerging technologies in this space include 5G/6G, quantum computing and microprocessors among others, all of which could serve an organisation by helping it bolster its defences, regardless of whether it has had a hand in developing them.
Pillar 4: Advancing UK global leadership and influence for a secure and prosperous international order
The footprints of many organisations’ cyber space operations span multiple countries – each of which has individual legal requirements. Within this pillar, the UK government hopes to influence a multi-nation drive for global governance as well as improve the cyber defence posture of other countries to better combat cyber threats as a whole.
The nature of digital operations mean global organisations can face cyber threats from anywhere in the world. Over time, they should benefit from a safer environment and face fewer business disrupting cyber risks.
Pillar 5: Detecting, disrupting, and deterring our adversaries to enhance UK security in and through cyber space
Cyber crime is a major industry, currently demonstrated by the frequent occurrence of well-publicised ransomware attacks, which cause massive disruption to organisations and require heavy recovery costs.
The final pillar aims to improve UK security in cyber space through targeting cyber criminals and deterring malicious actors to reduce the appeal of conducting cyber crime.
A key role for organisations is to refrain from the understandable temptation to protect their reputations by covering up successful cyber attacks, instead reporting them to the National Cyber Security Agency (NCSC) and National Crime Agency (NCA) so that the government is aware and can gather evidence to tackle the relevant criminal groups.
The National Cyber Strategy should be seen as a welcome injection of both focus and investment in bettering cyber defence for everyone.
As the “whole of society” approach suggests, the UK government cannot make the much-needed changes without the support of both organisations and individuals. Organisations will need to move away from working in silos to collaborate on countermeasures and backup plans, and put cyber defence firmly on the boardroom agenda. And as more citizens become aware of cyber risks and the importance of their role in protecting their information, the risks of data leaks and infringement in general is reduced.