In December, the UK Government released its National Cyber Strategy for 2022. We take a look at its scope and ask what impact will it have on UK businesses and organisations.
The 2022 Cyber Strategy seeks to “pioneer a new cyber strategy with the whole of the UK”. In the main, the document identifies the key risks and challenges that the UK faces and the direction the UK should take when it comes to the digital economy and cyber security.
The report recognises the long-term structural shift that digitalisation is driving and recognises the importance of the cyber ecosystem to national prosperity and security.
The top priorities include:
• strengthening the UK’s cyber ecosystem,
• cyber resilience,
• taking the lead in technologies vital to cyber power,
• advancing UK global leadership to promote a secure and prosperous international order, and
• countering threats – detecting, disrupting and deterring adversaries to enhance UK cyber security.
While these challenges need addressing at a national level, there is a role for businesses and other UK organisations.
• to understand the way society is changing and the implications this has for cyber security,
• to understand the risks and work to mitigate them,
• to work with Government institutions, academia and trusted technology partners to develop and leverage the necessary digital skills, and
• To lean into resources provided by the National Cyber Security Centre (NCSC), the Information Commissioner’s Office (ICO) and local cyber resilience centres in order to boost overall resilience.
As the world is reshaped by technology, the Government wants to ensure that the country has the cyber skills and infrastructure necessary to advance British interests globally and to secure the UK’s cyberspace.
There are two key planks to the strategy: strengthening national capabilities in technologies critical to cyberspace and cyber security and, second, limiting reliance on individual suppliers or technologies or in technologies that are developed by regimes that do not share UK values.
While the UK Government recognises the cyber security advances made by British business over the last few years, especially following the passage of GDPR onto the statute book, it also points out that there are remaining vulnerabilities.
It says, “we have growing evidence of gaps in our national resilience, with levels of cyber crime and breaches affecting government, businesses and individuals continuing to rise as well as cyber-enabled crime, like fraud. Legacy IT systems, supply chain vulnerabilities and a shortage of cyber security professionals are growing areas of concern… many organisations (especially small and medium enterprises) lack the ability to protect themselves and respond to incidents.
Industry tells us that many businesses do not understand the cyber risks they face, that commercial incentives to invest in cyber security are not clear, and that there is often little motivation to report breaches and attacks.”
The report also warns of international nation state threats, especially malicious actions taken on behalf of Russia and China. Plus, it makes the point that ransomware attacks are becoming more sophisticated and damaging.
Although the Government is investing in the National Crime Agency and the National Cyber Force to protect against such threats, the strategy also makes it clear that businesses also need to be aware of these risks and to take action to mitigate them.
The strategy highlights the role of the NCSC(1) and the ICO(2) in helping business understand these risks and take appropriate action.
The UK cyber security sector is growing fast, with more than 14,000 businesses generating £8.9 bn of revenues in 2021.
The sector supports 46,700 skilled jobs – growing by 50 percent over the last four years.
The Cyber First(3) and Cyber Discovery(4) programmes are intended to encourage more young people into the sector. However, there is still a huge skills gap. More than half of all UK businesses have a skills gap in basic cyber security skills.
Developing the skills to meet the growing cyber risks will be crucial.
The strategy sets out plans for “a number of measures, including the expansion of post-16 training programmes in line with the needs of the cyber workforce, funding a range of skills bootcamps in cyber security, the national rollout of the Institutes of Technology programme, and continuing the CyberFirst bursaries scheme for undergraduates. This builds on the Government’s work to align the majority of post-16 education and training with strengthened employer-led standards by 2030.”
Further, there are plans for “a higher quality and more established, recognised and structured cyber security profession. Underpinned by Royal Charter, the UK Cyber Security Council(5) will establish professional standards and pathways into and through a cyber career, built on the world-leading Cyber Security Body of Knowledge (CyBOK).”
The Government highlights the key role the UK cyber security sector will play over the coming years. The strategy calls for the strengthening of the broader partnerships between academia, the wider technical community and the private sector, to ensure that we capitalise fully on the UK’s technical expertise and know-how.
To support the growth of the sector, the strategy lays out plans for “a new Cyber Runway programme [giving] businesses a single focal point for support, learning lessons from our previous programmes such as the Tech Nation Cyber Programme, Cyber101 and Hut Zero. We will transform the Cheltenham Innovation Centre, which includes the cyber accelerator ‘NCSC for Startups’, into a true international centre of innovation: the National Cyber Innovation Centre. We will draw on the expertise of organisations that exist to promote and enable co-creation, such as the National Security Technology and Innovation Exchange. And we will encourage higher-risk investment in early stage cyber start-ups, including through the National Security Strategic Investment Fund, in partnership with the British Business Bank.”
The report highlights that, as our society and workplaces become more connected, cyber risks are also heightened.
It points out that “sensors, wearables, medical devices and biometrics will further blur the boundary between offline and online activity. Cyber risks will become pervasive, increasing the volume of personal and sensitive data generated and the potential impact if systems are breached.”
To build resilience, the strategy outlines Government plans to give businesses a clearer understanding of what to do in the event of an incident, who to call, who can help and how to recover. This includes a new Cyber Incident Response scheme and Cyber Incident Exercising service as well as encouraging small businesses and organisations to take advantage of local support, such as their regional Cyber Resilience Centre(6).
You can read the full strategy paper here(7).
The Government hopes to use the publication of its cyber security strategy as a platform for further engagement with the public, private and third sectors across the UK.
It is inviting direct feedback to email@example.com
The best way to protect your business or organisation against the most common kinds of cyber risks remains the Cyber Essentials scheme.
This scheme has changed and evolved over the past few years to become a practical, attainable minimum security standard for every business to protect it from the majority of casual attacks and cyber criminals.
Find out what the Cyber Essentials Scheme could serve you with a copy of our 2022 Guide to Cyber Essentials:
Or, for further advice, please reach out to our team on: 0808 164 4142.