Why 'change' for the UK must include cybersecurity

Labour needs to to get ahead and demonstrate a commitment to security from the outset

Why 'change' for the UK must include cybersecurity

Image:
Why 'change' for the UK must include cybersecurity

Over the last six weeks, the UK election has carried the promise of "change", from all parties. With a new Labour government now appointed, there is certainly a lot of work to be done.

Priorities range from the NHS to the economy to defence, but within the security industry there is one more critical area of concern that demands an urgent response. High-profile cyber attacks continue to dominate the headlines and with research revealing that security and IT leaders are losing ground in the race against cybercrime as undetected breaches rise by 20%, the new leadership must understand that there can be no national security without a nationwide, top-down focus on cybersecurity.

It is promising that the Labour manifesto promised a Strategic Defence Review within its first year in government and that it would set out the path to spending 2.5% of GDP on defence. This must include a focus on supporting both the public and private sector to implement a more proactive approach to cybersecurity.

Meeting the demand

The cyber skills gap is a well-known barrier to national security around the world. According to government data, 50% of all UK businesses have a basic cyber security skills gap. To improve the UK's security posture, an ongoing investment in fostering new cyber skills is critical, both in higher and further education, and as a reskilling initiative for individuals well within their careers.

But combatting the cyber skills gap is not just a question of creating more cyber experts. For organisations to take hold of their security posture, they must move past the idea that cybersecurity is a matter for security leaders alone. If the new government wants to empower British businesses to better defend themselves against attacks, they must support and encourage business leaders to bring the challenge of cybersecurity into the boardroom. This is as true for small businesses as it is large enterprises. What's vital is guidance.

The importance of frameworks

Regulatory compliance, either with GDPR or industry-specific mandates, such as finance's DORA or the FCA Operational Resilience, are unquestionably daunting for business leaders. And yet, as high-profile cyberattacks rise, new regulations and the rise of cyber insurance are making adherence to security standards non-negotiable. With a new government, I expect regulations will increase in the coming years. But regulations will not work if businesses aren't also offered support.

The UK government needs to educate businesses on critical security frameworks and standards, including ISO 27001. By providing a structured approach to a complex issue, frameworks empower business leaders to engage with their security posture, alleviating the pressure on security teams by creating a top-down culture of cyber best practices.

Successful organisations must proactively move beyond base-level compliance, and frameworks are vital to helping business leaders to identify, mitigate, and prepare for cyber risks. Tabletop incident response exercises, as one example, are critical for both operational resiliency and national security, and those led by the board are bound to be most successful. From legal teams to security professionals, even to customer success managers, attack playbooks ensure that all internal stakeholders understand their role in responding to a cyber incident.

By establishing and regularly practicing a playbook, business leaders can build a confident team that can respond faster and more appropriately to a live threat, with a view to intercepting and remediating an attack before it can cause further damage. The recent ransomware attack on three London hospitals, enacted through a pathology partner, shows the ripple effect of an unchecked breach. Empowering all organisations, not just those in the public sector, to better detect and respond to an attack should be a priority for Labour. An organisation's exposure to cyber risk is intertwined with that of its entire supply chain, and I hope that Keir Starmer takes the chance to reduce the widespread damage potential of similar supply chain attacks.

A focus on frameworks would also emphasise to businesses that security does not need to be expensive. Too often, business leaders and their security colleagues spend too much of their budget on new and expensive tools without investing in the human processes and best practices that can go a long way to reducing risk, and focusing security tooling where it is most needed. From setting out standards for onboarding and offboarding to access management and even AI use policies, frameworks demonstrate the importance of business processes in maintaining a strong security posture.

Embracing proactivity

In this industry, I often hear colleagues and customers say that it feels like cybercriminals may always be one step ahead. For most businesses, cyber security is an ongoing process of putting out fires, but this is neither sustainable nor effective. Today's threat landscape calls for proactive preparation, from business leaders and governments alike.

Now is the chance for Labour to get ahead and demonstrate their commitment to security from the outset. By building up skills, supporting businesses to implement a base level of risk reduction that moves beyond mere compliance, and encouraging business leaders to practise a dedicated incident response strategy, Keir Starmer has a unique opportunity to build a more proactive and productive Britain.

Rick Jones, is CEO and co-founder of DigitalXRAID