The Debate: Does the UK need tougher cybersecurity laws?
In the wake of a wave of major cyber attacks, is it time for the UK to get tougher on business cybersecurity? Two experts hash it out in this week’s Debate
YES: The government is right to call this a wake-up call
The recent cyber attacks against Marks & Spencer, Harrods and Co-Op should be a wake-up call for the entire country. We know that the average cost of a data breach in the global retail sector is $3.5m (£2.6m), and it’s deeply worrying to see these major household names in cybercriminals’ crosshairs. It’s a clear sign that stronger rules need to be implemented across the board.
It is no longer a case of ‘if’ but ‘when’ a business will be a target of cybercrime. From what we’ve seen at M&S, staff responded swiftly in line with existing incident response plans, yet reports of confusion over temporary security protocols emphasise how crucial it is to have proper preparation, for all possible cybersecurity scenarios.
We urgently need clearer national standards that all companies, big or small, must follow. Every business should be required to have a proper cybersecurity plan, run regular drills and keep their systems up to date. Just like there are rules for food hygiene or fire safety, we need basic rules for digital safety too.
The government is right to call this a wake-up call, but it must be followed by action. Stronger laws, better guidance and oversight and consequences for those who ignore the risks. Without that, more businesses will be caught off guard, and it will be their customers and employees who will pay the price. Cybersecurity isn’t just a tech issue anymore; it is a critical need for business survival in this constantly evolving digital threat landscape.
Ed Williams is vice president of EMEA’s consulting and professional services at Trustwave
NO: Businesses can’t buy cybersecurity off a shelf
Having been involved in various government briefings across the globe, I understand the requirement to develop national cyber policies and regulation that drive critical infrastructure towards resiliency. However, the UK’s Cyber Security and Resilience Bill feels like a big stick telling businesses to “be resilient” overnight without having provided much guidance on helping them grow carrots. The reality is you can’t buy cyber resiliency off the shelf; it’s about having the people, processes and technologies in place to achieve it. Joined-up pragmatic guidance on helping organisations move towards cyber resiliency, combined with a gradual enforcement regime would have been a better approach.
Let’s take important lessons from the Digital Operational Resilience Act (DORA) in the EU. I believe we should mandate UK organisations to build their understanding and measurement of their impact tolerances and current level of cyber resiliency, instead of mandating immediate changes to achieve an arbitrary boilerplate level. This feels too harsh given that many organisations haven’t received the appropriate pragmatic guidance from the government on the people, processes and technologies to safeguarding against today’s cyber threats.
Ultimately, the current legislative approach has the potential to impact critical services. Instead, government should consult industry leaders to develop a pragmatic tiered approach, in which they provide specific requirements for businesses to achieve at every step of the cyber resiliency journey. We must enable organisations to identify their current resiliency status and build a robust strategy that enables benchmarked progress throughout and the foundations for this already exist with NCSC’s Cyber Assessment Framework.
James Blake is vice president of cyber resiliency strategy at Cohesity
THE VERDICT
Oh cybersecurity – it’s hardly a topic that gets the blood pumping, is it? And yet, as has been made all too clear over the past two weeks with major cyber attacks on Marks & Spencer, Co-op and Harrods, ignoring it comes at a cost. Indeed, according to insurance broker Howden, cyber attacks have cost UK companies £44bn in lost revenue over the past five years, with 52 per cent of firms affected. And with hackers telling the BBC there will be more attacks soon, there is little time to lose.
Such at least is the opinion of Mr Williams, who argues that cybersecurity is no longer just a tech issue but a business critical one. Certainly that is hard to argue with.
But Mr Blake is also right to urge restraint when it comes to mandating blanket rules for businesses, many of which are already trying to do their best. Firms cannot become infallible to cyberattacks overnight, especially ones that are becoming more sophisticated every day. As with too many issues at the moment, businesses could do with a little less scolding and a little more grace.