Achieving cyber-security resilience

Barry O’Connell at Trustwave explains why and how UK businesses must work towards a resilient cyber-security strategy

 

As businesses within both the private and public sectors continue to be victims to a barrage of cyberattacks, the need for a robust and forward-thinking cyber-security strategy has never been more pressing.

 

In 2023, the National Cyber Security Centre (NCSC) warned of an enduring and significant threat to the UK’s critical infrastructure amidst a marked rise in state-backed cyber-attacks and other aggressive cyber-security activity. Now with a general election on the horizon, any prospective government needs to prioritise cyber-security to excel in an increasingly digital economy. 

 

Current regulations and their limitations

In terms of regulation, the current government has put some guardrails in place such as the Draft Code of Practice for Cyber-security Governance, which is a means to ensure that organisations protect themselves, their suppliers and partners, and their customers from the harms associated with cyber-security risks.

 

However, despite these frameworks, businesses are falling short of adequate cyber-security postures in the face of ever-evolving cyber-attacks, either due to a lack of resources or, much more concerningly, the lack of awareness around the cyber-threat landscape. 

 

The new cyber-security code of practice attempts to bridge this gap amongst businesses and provides some useful guidance for businesses unfamiliar with cyber-security norms.

 

However, its voluntary nature means businesses may choose to ignore it, prioritising their own interests over recommended cyber-security practices, unlike legally binding legislation that would compel compliance and accountability.

 

The consequences of ignoring said guidelines can be severe. We only have to look at the aftermath of the Snowflake cyber-attack, wherein financially motivated cyber-criminals stole a “significant volume of data” from hundreds of customers hosting their vast banks of data with the cloud storage giant.

 

The first crucial step to evolving a business’s current cyber-security strategy needs to be reassessing its effectiveness against the evolving threat landscape. To thrive in a digital economy, British businesses need clear, legally binding cyber-security frameworks and governance that establish accountability across all industries and company sizes.

 

The UK’s recent Memorandum of Understanding with Australia and proposed updates to the Network and Information Systems (NIS) regulations are steps in this direction, but more comprehensive legislation is needed.

 

Considering real world impacts

What businesses and the government need to keep in mind is that a cyber-attack not only causes disruptions in business operations but has real-world consequences for the individuals who are connected to the systems affected, whether that is an employee or a customer.

 

Take the recent cyber-attack on the NHS as an example. The ransomware attack not only disrupted everyday operations for six NHS trusts and scores of GP practices in South-East London, but also infiltrated and rendered the IT systems of the private firm that analyses blood tests useless, therefore actively putting patient lives at risk.

 

Cases like these reflect the severity of the impact of cyber-crime; a severity that must not be overlooked when developing regulation and governance around cyber-security. 

 

Despite the prevalence of digitised supply chains and the clear ability of cyber-criminals to disrupt these critical business operations, many companies still do not prioritise cyber-security investments proportionally. In fact, recent conversations between Trustwave and business leaders have revealed that there are still a number of organisations across the UK that still consider cyber-security procedures and partners as a ‘nice to have’, rather than a must have. This simply must change. 

 

Evolving the cyber-security strategy

As cyber-criminal gangs and ransomware groups proliferate in the UK, there is a pressing need for enforceable cyber-security legislation and mandatory standards of practice, rather than voluntary codes of conduct. Only then can British businesses effectively combat the rising tide of cyber-crime threats. 

 

Of course, this should not happen in isolation. Effectively combatting rising cyber-crime threats also requires enhancing public-private collaboration through robust mechanisms for timely exchange of threat intelligence, best practices, and incident response strategies.

 

It is crucial for the government to consult industry experts to ensure that they are staying updated on the threat landscape and necessary defensive tools, which in turn helps in developing modern legislation that would better protect businesses and employees.

 

Investing in cyber-security talent development and education should also be a top priority within a cyber-security strategy. The cyber-security skills gap remains a significant challenge, hindering businesses’ ability to effectively protect their digital assets.

 

By implementing comprehensive training programs, fostering public-private partnerships with educational institutions, and incentivising the pursuit of cyber-security careers, the government can help cultivate a highly skilled and diverse workforce capable of meeting the demands of our digital age.

 

Lastly, the adoption of best practices in cyber-security needs to be considered. This includes promoting the use of robust encryption, multi-factor authentication, and advanced threat detection and response solutions.

 

By embracing innovation, businesses can better protect themselves against emerging threats, stay one step ahead of diverse threat actors, and maintain a competitive edge in the global marketplace.

 

The challenges are complex and ever-changing, necessitating a proactive governmental approach. By addressing the areas outlined above, the UK can position itself as a global cyber-security leader, ultimately safeguarding businesses, protecting digital infrastructure, and ensuring economic prosperity.

 

---

 

Barry O’Connell is General Manager, EMEA at Trustwave

 

Main image courtesy of iStockPhoto.com and kuppa_rock