Cyber growth, culture and regulatory change

In the last few weeks, there have been some significant developments from the government regarding the importance of cyber security to the UK economy.

A new Cyber Growth Action Plan was unveiled by the Department for Science, Innovation and Technology, aiming to provide a further boost to a £13.2bn-strong cyber sector. The plan is a sectoral analysis, led by academics, and is due to report back with recommendations later in the summer. Alongside this, the Government Cyber Advisory Board has been re-established, and £16m in additional funding has been released to create and support new cyber businesses.

Of greater relevance to the accounting and audit industries is the government’s Industrial Strategy, which places strong emphasis on the role of cyber security. Additional funding for Cyber Essentials to expand the scheme is a central part of the ambition to improve cyber security for all businesses, but there is specific emphasis on the criticality of cyber security for our profession in the Professional and Business Services (PBS) sector plan. Here, there is a desire to provide targeted, regional support for PBS businesses to improve cyber defences and develop a cyber-skilled workforce. ICAEW covered the plan in detail on its launch.

This month, the National Cyber Security Centre (NCSC) also published a new set of cyber security culture principles to encourage a more open, supportive environment for cyber security behaviours in organisations. The principles are intended to help cyber professionals and organisation leaders instil a culture in which the importance of cyber security is valued across an organisation, and best practices are actively promoted and embraced.

June was also the month in which the Data (Use and Access) Bill finally received Royal Assent, after weeks of back and forth. The Act paves the way for so-called Smart Data schemes to allow the secure sharing of information in a standardised way. It also means some notable changes to the regulation of data in the UK, particularly around data protection and the role and powers of the Information Commissioner’s Office (soon to be the Information Commission). The new laws are intended to support more innovative uses of data while protecting privacy. However, it is not without controversy, as many of those in the creative arts have voiced concerns about the potential erosion of intellectual property rights due to the use of their content in training AI models. 

Challenging times for retail…

It’s been a volatile period for retailers, with a number of high-profile incidents. We explored the M&S and Co-op attacks in depth in last month’s round-up, as well as in a recent webinar. Further details have emerged regarding the M&S attack, including reports of an email sent directly to its CEO by the hackers from another employee’s email account. The email suggested that the hackers had full details of the company’s cyber insurance policy, which highlights the importance of not only what the policy covers, but where it is stored. Striking a balance between the accessibility of your cyber insurance policy at the critical moment and keeping it out of reach of potential hacks, is clearly becoming necessary. 

Meanwhile TCS – the provider of IT services to M&S and so potentially implicated in the breach – has made clear that its own systems were not breached so its other customers would not be affected. As M&S and Co-op have slowly returned to normal, Adidas, The North Face and Cartier have also reported cyber attacks, albeit smaller in nature. And in a sign of how one organisation’s misfortune can benefit others, analysts have reported that many of M&S’s rivals have seen a growth in online sales.

As if to further highlight the criticality of supply-chain cyber security, another major UK retailer, Morrisons, has confirmed that an incident last year at Blue Yonder – provider of warehouse management systems – has impacted it well into the current financial year. It is clear that having a robust, tested back-up plan is key to minimising disruption but will not avoid it entirely.

…And the public sector too

While adamant that they have “not been hacked”, HMRC was the victim of a sophisticated fraud to the tune of £47m (later corrected to £49m), with stolen personal data used to access and create thousands of online tax accounts. The fraud used many techniques found in the world of cyber crime, including phishing and social engineering, although, crucially, the data used in the fraud appears to have been obtained from other sources. This is where websites such as Have I Been Pwned can be a useful tool in checking whether your email addresses or passwords have been compromised.

It was recently revealed through a series of FOI disclosures that in excess of £1m of technology assets were lost or stolen by UK government departments in 2024. In total, around 2,000 devices have disappeared across 18 departments and public authorities, which is considered to be unusually high by some experts. While device theft or loss is hard to prevent, steps can be taken to reduce the likely impact, such as the use of encryption and enforcement of enterprise security on all mobile devices, including the ability to remotely wipe and ‘brick’ (ie, render useless) the devices.

And while the announcement of changes to winter fuel payments have been welcomed by many, ICAEW reported earlier this month on evidence that criminals are already using this to carry out phishing attacks on often vulnerable people.

Want to learn more about cyber security?

Visit the ICAEW cyber security webpages. Or email techfac@icaew.com with your cyber stories.