First, the good news. The UK is probably more mature than most countries in how it recognises and identifies potential cyber risks (although we're probably still two or three years behind the US). That shouldn't give us cause to rest on our laurels and see it as 'job done'. The less positive news is that the constantly evolving nature of the cyber threat means we need, as a country and individual organisations and businesses, to relentlessly address the biggest weakness in our cyber defences; people and the associated cyber skills gap.
The weakest link
When I'm asked what is the main vulnerability for businesses when it comes to cyber, the answer is always the same. It's each of us; the employee. Upwards of 95% of all cyber related losses have a human component and it is this weakness we need to tackle to effectively manage the cyber threat. People are the easy gateway for hackers. Whether it's a one-man band or a multi-national, managing that people risk in your business through training, education, and up-skilling people so they know what to look out for, is critical.
In the UK, the government has acted proactively to address this human chink in our cyber armour. The National Cyber Security Centre (part of the government's national intelligence and security organisation, GCHQ) has taken a proactive and visible stance in the fight against cyber crime across the wider UK plc. It's a cultural shift for the intelligence service who are more used to working behind closed doors and a cloak of secrecy, but now recognise that to successfully manage the cyber threat, a more collaborative, open approach with people and business is essential. Positively the NCSC has recorded that 98% of phishing URLs discovered to be malicious were taken down in the last year and this is a testament to their continued work in the cyber security landscape.
There is a recognition that this is a problem for everyone; it's not about getting a commercial advantage for one business, it's all about reducing the threat and NCSC knows that. I'm particularly pleased to see the introduction of cyber security outreach programmes such as CyberFirst aimed at school age children by the NCSC because the biggest challenge is the skills gap. If you look at schools, the GCSE and A level syllabuses haven’t changed much since I was a pupil back in the 80’s. Surely, this can’t deliver the strong platform of tech skills needed when you read comments in the press such as 50% of jobs being redundant within the next ten years or replaced by AI. Either way it is clear that a monumental skills gap will open up without a programme of cyber security training at a young age as well as teaching other tech skills such as coding. Cyber security, for instance, should be mandated at school age to reduce the likelihood of future breaches impacting UK plc.
Up-skill the board
Similarly, employees must also have sound cyber security training but the skills gap doesn't just apply to the rank and file of an organisation. It is also critical that the senior leaders of every organisation up-skill to help them appreciate the cyber risk, understand how their organisation is exposed, and what the business is doing to mitigate the threat. As Aon's latest C-Suite report on cyber – Prepare for the expected: Safeguarding value in the era of cyber risks – says, "it is crucial to educate 'non-technical' leaders within the business. In this way, cyber security can be embedded in the fabric of the organisation - and plausible deniability is no longer an excuse."
Organisations must get their board members together and assess whether they have the competence when it comes to cyber security. The modern board needs people in it who are technologically aware. They might not necessarily be experts but they must understand the broader context of the cyber threats to their business and the costs and consequences of a cyber attack on their business. By understanding the threat, leaders will then be better placed to lead their organisation's drive for cyber resilience.
Your most effective weapon
Addressing the skills gap amongst employees is the single most effective thing a business can do to help it deal effectively with the cyber threat. Businesses can’t ignore the C-suite though in plugging that skills gap, given the role that leaders play in helping organisations form an enterprise-wide response.
To find out more about how to protect your business from the cyber threat, read the full Aon report: Prepare for the expected: Safeguarding value in the era of cyber risk