The Cyber Action Plan, setting out the government’s strategy for protecting itself from cyber attacks, breaks down its approach into five elements:

• accountability;
• support;
• services;
• response and recovery; and
• skills.

Each of these areas, while predominantly outlining government plans, include points that any organisation should consider.

"The Government Cyber Action Plan is a comprehensive publication which, if enacted in full, will put the UK Government on a strong footing when it comes to its ability to provide robust, secure, tech-enabled public services,” says Ian Pay, ICAEW’s Head of Data Analytics and Tech. “While most organisations would not be of the scale or complexity of central government, the fundamental components of the action plan are no less applicable and all organisations, regardless of their size, should consider what their own cyber action plan might look like. In our profession, we are only as strong as our weakest link, so it matters to all of us that cyber risks are taken seriously - an attack on one organisation has the potential to tarnish us all."

Clear, shared accountability

Setting clear expectations for who manages cyber risk is crucial. This needs to be set at all levels, from the leadership down. The overall ownership of cyber risk management should sit with the CEO.

Organisations should establish clear roles and responsibilities, governance structures, plans and processes to ensure that accountability structures are in place. That also includes suppliers; there should be requirements for approved suppliers to meet a certain standard of cyber hygiene.

The Board and senior management should also provide support to the CEO to ensure that cyber risks are being managed appropriately and ensure that cyber governance is robust.

Other accountable people include the following.

• A board member with cyber security experience
• A ‘Chief Information Security Officer’ – someone that can manage cyber security across the organisation
• A ‘Chief Digital and Information Officer’ – a person with oversight on the organisation’s IT infrastructure
• A Technology Risk Owner – someone that people can report potential risks to
• Department representatives that manage and monitor cyber risks on their teams

In smaller organisations, one or two people may end up sharing these roles.

Utilise your networks

The government wants different government agencies to share experiences, knowledge and resources to help improve cyber resilience. Likewise, organisations can work with local business networks, suppliers and other organisations in their sector to share information on cyber risks and support each other with advice.

Collaboration on cyber risks can create collective resilience and awareness of the risks. Working with suppliers through strategic frameworks, for example, can potentially protect every business in a supply chain.

Identify cyber service gaps

The government wants to improve access to services to improve cyber resilience. These could be internal or external services and primarily revolve around three areas:

• risk visibility;
• day-to-day cyber security;
• responses to cyber incidents.

Organisations should review their policies and procedures in relation to these areas and identify any gaps and weaknesses that they need to address. In many cases, these gaps would be filled through a combination of external service providers and improvements to internal service lines, such as IT support.

Prepare your responses

Organisations need to have a plan in place in case an incident does occur. This should include how they immediately respond to the incident and how they recover from it. Cyber and management teams should know exactly what they need to do in the face of an incident. In the words of the Cyber Action Plan:

“Organisations are responsible for ensuring they are prepared to rapidly, effectively and expertly manage potential cyber and resilience issues impacting their organisation...This includes developing, exercising and continually improving robust plans at every level, covering likely and high-risk scenarios."

The government outlines a cyber incident lifecycle that could work well for businesses of any size:

• prepare;
• detect;
• respond and recover; and
• learn and improve.

In particular, the last phase of the cycle can ensure that, if a cyber incident were to occur, cyber resilience improves as a result.

Develop cyber skills through hires and training

There’s a cyber skills gap across all industries that needs to be addressed. According to the Cyber Action Plan, 49% of businesses are struggling to get the cyber skills they need.

The Plan recommends a ‘recruit, upskill, retain’ approach to this, bringing organisations up to speed through a combination of recruitment and staff development and training.

This should involve both developing and recruiting for cyber-specific roles, but also cyber skills and awareness for non-cyber staff.  “Cyber security and resilience is everyone’s responsibility: all of us are affected by it and have a part to play in ensuring it enables business objectives. It is therefore vital that all roles have a working understanding of cyber risk and how it applies to their role.”

Leadership, commercial teams, finance and HR are particularly vulnerable to cyber attacks and may need more detailed training and awareness.