In January 2021, behind the talk of Downing Street parties and the latest excuse from Boris Johnson, the UK Government released its 2022 cyber security incentives and regulation review.
The report is designed to present the UK’s progress on improving cyber resilience, covering the period from 2016 to date. The report also seeks to assess and to understand the impact of interventions like the General Data Protection Regulation (GDPR) and NIS directive (which applies to operators of essential services and relevant digital service providers).
Reviewing the report an providing his analysis for Digital Journal is Andy Kays, CEO at UK cybersecurity business, Socura.
According to Kays, based on his review of the report: “We are still seeing an increase in hugely damaging cyberattacks in the UK, but that’s true of every country on the planet.”
In a sense, Kays says the inevitability of cyberattacks is a natural development of the digital economy. As he explains: “Cyber incidents will continue to have severe negative impact as business digitise their operations, but we cannot think of the task of improving cyber resilience as like boiling the ocean. Improvement is possible and taking stock of the UK’s progress on cyber security through reports like this is vital.”
So does the new report from the government help? According Kays it does: “The report correctly highlights poor cyber security hygiene and investment as major contributors to increased cyber incidents.”
He adds: “Likewise, it is true that further market intervention is required to help raise the bar to protect UK economy. However, I do believe that interventions like Cyber Essentials, GDPR and NIS have raised the profile of cyber and data security in the UK, and have improved understanding and investment where they are applicable among businesses.”
In terms of what else should be down, Kays leans towards learning and development in noting: “Education remains key, which is why the Foundation section of the report is so important. The UK needs to help organisations understand the risks and provide support to allow them to mitigate them, which is a shared responsibility among industry and the government.”
A further recommendation is an interventionist government, at least in terms of setting industrial policy. Here Kays recommends: “Market incentives are a powerful way to achieve this, with Cyber Essentials in Government procurement a good demonstration of how it forced suppliers to raise their standards.”
His final recommendation is based around the requirements that business needs from the workforce, as he finds: “Capability is also important, bringing forward skills and understanding those needed to help organisations solve key security challenges. This needs to be coupled with investment in training and knowledge in digital and cyber to help educate the UK workforce.
