News reports this year have been dominated by high profile and high impact cyber incidents, including:
- A major cyber incident which significantly impacted M&S.
- A more limited disruption for Co-Op.
- An attack targeting a nursery chain.
- Multiple airports (including Heathrow) impacted due to compromised check-in software.
- Jaguar Land Rover forced to shut down UK production factories, severely impacting their supply chain.
- Salesforce customers being targeted by vishing attacks.
- Discord responding to a breach involving one of its third-party vendors.
To put this into context, the National Cyber Security Centre (NCSC), which is part of GCHQ and is the UK’s technical authority for cyber security, has reported that a record 204 ‘nationally significant’ cyber attacks occurred in the 12 months to September 2024. This is a dramatic increase from just 89 in the previous year, meaning in the last year we averaged four major incidents a week and 4% of those incidents were categorised as ‘highly significant’ (meaning they had a serious impact on central government, essential services, a large proportion of the population or the UK economy). The report also highlighted that ransomware reports were highest in sectors such as finance, engineering, retail, health and manufacturing. However, the NCSC warns “no sector (and no organisation) is exempt from this threat”.
If that isn’t reason enough to take cyber security seriously, the NCSC CEO Richard Horne commented in the forward to the report:
“Nobody wants to believe their business could grind to a halt following a cyber attack. But any leader who fails to prepare for that scenario is jeopardising their business’s future… every organisation must understand their exposure, build their defences and have a plan for how they would continue to operate without their IT (and rebuild that IT at pace) were an attack to get through… Cyber security is now critical to business longevity and success. It is time to act”.
These incidents, comments and statistics are a stark reminder to all organisations of the importance of robust cyber security measures and have led the government to issue urgent cyber security advice to UK businesses. The government are recommending three key actions that large businesses can take to improve their cyber resilience (although they are good practice for organisations of all sizes):
- Make cyber risk a board-level priority using the Cyber Governance Code of Practice and the related toolkit and training.
- Sign up to the NCSC’s early warning service,a free alert system for potential attacks.
- Require supply chain partners to be certified under the Cyber Essentials Scheme.
The government’s letter also referred organisations to the NCSC’s Cyber Assessment Framework (CAF) as a tool that can be used to improve cyber resilience in relation to an organisation’s most critical services, regardless of whether the organisation is in scope of the CAF.
For smaller businesses, the NCSC has launched a free Cyber Action Toolkit, to help these organisations put some basic cyber security measures in place to help guard against the most common cyber threats.
All organisations have also been urged to participate in the Cyber Essentials Scheme and if eligible (UK organisations who certify their whole organisation and have an annual turnover of less than £20 million are eligible) take advantage of the free cyber insurance provided by it. The Information Commissioner’s Office also promoted the benefits of the Cyber Essentials Scheme during its recent annual conference highlighting the benefits of the free Cyber Essentials readiness tool offered by IASME which supports organisations prepare for Cyber Essentials certification.
