Get the basics right. That was one of the core themes from our Audit Insights reports, first published nearly seven years ago, that continues to be at the heart of member needs and the Tech Faculty’s activities on cyber. Many people know what the basics are – strong password management, patching and keeping systems up to date, changing default passwords, implementing a firewall and backing up systems, for example. But most also struggle to implement them in practice.
Another theme from Audit Insights was the ability of boards to make good decisions about cyber security and to integrate thinking about cyber into all other business activities. While many boards have increased their knowledge in this area, there is still a long way to go for many businesses. Asking pertinent questions and having meaningful conversations with security experts is a top priority to help boards gain reassurance that they are doing the right things here.
Therefore, for the rest of 2020, the Faculty will be working more closely with the National Cyber Security Centre (NCSC) on these two themes to promote good basic cyber security and share the excellent guidance that it provides more widely. This will include the board toolkit, which helps board members understand the business risks and have useful conversations with security teams.
We’ll also be exploring why we seem to struggle to get security right and seeing what lessons we can learn from some of the leading thinking in other areas, such as psychology and design.
Many discussions focus on economics and incentives – is cyber just not a high enough priority for many businesses? This is certainly something being explored by the UK government in its review of cyber regulation and incentives; we expect some recommendations to increase the incentives around good cyber security, particularly for larger businesses, later in the year. We submitted a response to the government’s call for evidence at the end of 2019 and will be actively engaged in further discussions here.
Build secure products
Then there are industry factors; some people argue that there needs to be more emphasis on the tech industry to build inherently more secure products rather than expecting users to do all the work. This also links into the work that NCSC is doing at higher level, for example taking down fake websites speedily, which can relieve some of the burden on individual users and businesses. We will be highlighting any new developments here as and when they happen.
One of the best ways to help members improve their cyber security is to share case studies and practical examples of how others have implemented specific practices. If you work in cyber security or have experience around this area that you would like to share with us and other members, please do get in contact.
Key NCSC resources
Some resources we’ll be drawing on:
About the author
Kirstin Gillon, Technical Manager, Tech Faculty
