A new report has said that board-level executives need to be more aware of cybersecurity issues if their organisations are to effectively manage cyber risks.
It comes ahead of a major government announcement on cyber security, which is expected to be made later this week.
The ‘Cyber Security and the UK’s Critical National Infrastructure’ report from think tank Chatham House, sponsored by BAE Systems’ Detica business, recommended that businesses should make all staff across their organisations aware of cyber risks, and that this should be led from the top.
Senior management should be confident enough in their understanding of cyber security to “ask the right questions from those tasked with providing security within their organisation,” the report said.
“Critical National Infrastructure (CNI) enterprises [such as utilities and banking providers] should seek to take on greater responsibility and instil greater awareness about the nature of cyber risks across their organisations.
“Senior management should, for example, create incentives for departments and individual employees to recognise and address cyber dependencies and vulnerabilities as they arise,” the Chatham House report stated.
“However, this will only be achieved to the extent that board members are themselves more aware of the opportunities and threats presented by cyberspace.
To reinforce the importance of board-level understanding, the report also recommended that communication around managing cyber risks should be tailored and targeted at both board-level members and technology experts.
Moreover: “Government will have to communicate with senior private-sector management in language the latter can understand. The issue of cyber risks needs to be made accessible for those who are neither familiar with technology nor highly IT-literate,” it said.
As well as making cyber security a fundamental part of an organisations risk strategy, Chatham House recommended that training and development of staff in cyber security measures should also be embedded into risk mitigation strategies. Budget cuts to improve the bottom line should not hinder these efforts, it said.
Although the report said that the government cannot deal with the cyber security threat by itself, Chatham House believed there were still things the government could do to help the private sector play its part.
For example, it said that the government should act as a focal point for gathering information about cyber security, and work to raise levels of awareness and understanding in the wider society.
It also recommended that the public, as well as the private, sector needed to put more money into research and investment in cyber security, as well as into nurture human resource capabilities.
“This area is currently under-resourced and lacks the appropriate long-term funding in both the public and private sector,” the report said.
As part of last year’s Strategic Defence and Security Review, prime minister David Cameron confirmed that the government would allocate £650 million over a four-year period to fight against cyber attacks. The government also detailed cybercrime as a ‘tier one’ risk to Britain, alongside terrorism, international crises and natural hazards.