Skip to main content
Menu
  • The CBI chevron_right
  • Boosting your cyber security: an action plan for your business

Boosting your cyber security: an action plan for your business

Cyber security is a real concern for all businesses. Use this framework to discover the actions you can take to stress test your cyber security strategy, the NCSC resources you need and what other businesses have done.

25 Apr 2022, 4 min read

Businesses across the UK have demonstrated time and again their capacity to react to a changing external environment. From COVID-19 to the ongoing global energy crisis, businesses have rapidly adjusted their strategies to adapt.

One of the latest challenges UK businesses are facing is the growing risk associated with operating online and remaining cyber secure. In 2021, 40% of UK businesses reported experiencing a cyber breach or attack. As first featured in the Times the CBI, alongside Steve Barclay (as lead Minister for Cyber Security) has called on businesses to work together and treat cyber security as a core boardroom responsibility; an equal threat to financial and other risks. Cyber attacks recognise no physical or geographical boundary, and cyber criminals thrive on the unwillingness of companies to share their experiences.

While reluctance to share when something goes wrong is completely understandable, cyber security is one area where healthy rivalry of business will not help, and where cooperation and sharing lessons learned, within and between our organisations, will make us all safer, along with the customers and the public that we serve. Companies must stress-test their whole supply chains' cyber security, right down to the smallest partner, because any weakness can be exploited. This isn't hypothetical. The attack on the Colonial Pipeline, which disrupted the lives of millions due to supply shortages, a fuel price spike, petrol stations running dry, was down to the theft of a single password.

This framework will direct you to the National Cyber Security Centre (NCSC) resources that you need to ensure your company has a robust and stress-tested cyber security strategy. Get key actions you can take and read case studies from other businesses with practical ideas to inform your organisation’s approach.

Top tip

Take a look at the NCSC’s 10 steps to cyber security to stress test and further enhance your cyber resilience.

  • Step 1

    Know your risk

    Before you can build a strategy, you need to understand the environment you are operating in and the associated potential risks. The risks, however, are constantly changing; therefore, it is vital to evaluate (and re-evaluate) your cyber strategy given any changes to the risk environment.

    Actions you can take:

    • Visit the NCSC news page to learn more and better understand any changes to the cyber risk landscape
    • Visit the NCSC webpage to understand the actions you should take when there is a heightened cyber threat to your business
    • Prepare your business for the worst-case scenario and use the NCSC webpage on incident management to develop your action plan in the case of a successful cyber attack.
  • Step 2

    Train your people

    Equipping your employees to operate safely in your cyber network should be an essential part of your strategy. To learn more about building a positive cyber security culture in your business read the NCSC guidance on work-based cyber security culture.

    Actions you can take:

    • Consider when you last ran employee training; employees may need their knowledge refreshed. Read the NCSC’s Engagement and Training webpage to understand how best to engage your employees on cyber security
    • Visit the NCSC’s top tips for staff webpage to learn how to empower your staff in the defence against cyber threats
    • Involve your employees in the development of your cyber strategy. They might have insight into the threats they are facing and whether the current procedures in place are suitable
    • Create proper channels and feedback for your employees to raise concerns and issues regarding your cyber security.
  • Step 3

    Assess your technology

    Every time you use technology to connect to the internet, servers, or internal systems you open up the potential for threats. Assessing your technology and your asset management are critical for understanding current risks and vulnerabilities across cyber space. To understand how to undertake effective asset management, read the NCSC guidance on Asset Management.

    Actions you can take:

    • Learn how to design your systems to be able to detect and investigate incidents with the NCSC webpage on Logging and Monitoring
    • Ensure all your technology is kept up to date and that older technology is removed from the system
    • Keep an itinerary of your technology, software, and admin profiles
    • All technology carries risk. Consider if the technology you are using is worth the risk it may present to your business operations.
  • Step 4

    Secure your supply chain

    Cyber security is not just about your business, it is about your wider network. Even businesses that are a part of your supply chain and/or different physical sites, make up your business’ cyber presence. To learn more about how to manage cyber security across your supply chain visit the NCSC webpage on Supply Chain Security.

    Actions you can take:

    • Ensure your suppliers and supply chain partners are keeping up to date with their cyber security. Encourage continuous improvement through open dialogue.
    • Make sure you are regularly including your wider network in any conversation about your cyber strategy and share your best practices with them
    • Assess the cyber risk that a potential partner may carry, before engaging in any potential deal discussions
    • Learn more about how to use identity and access management to keep your business cyber secure on the NCSC webpage on identity and access management.
  • Step 5

    Take the steps to cyber security

    The National Cyber Security Centre (NCSC) has developed guidance that aims to help organisations manage their cyber security risks by breaking down the task of protecting the organisation into 10 actions.

    Discover the 10 Steps to cyber security.

  • Step 6

    Learn from others

    Case studies:

    • Read why cyber security is a top priority from boardroom to ground floor, from the CBI’s Chief UK Policy Director
    • Smaller businesses with limited resources can struggle to know the best steps to protect their organisation. BT shares some practical tips to get started
    • Hear from Blacksmiths Group on how to firm up your business' cyber security in the face of ever-evolving digital threats
    • Consider the impact of hybrid working on cyber security and data protection. You can also catch up on the CBI’s Daily Webinar on cyber security and remote working
    • Read Sir Rob Wainwright’s (Former Head of Europol) advice on embracing the cyber threat, and on what can be done
    • Find out how can your business stand up to the modern attacks to cyber security
    • SCC's Kat Hill borrows from best practice among emergency response teams to offer advice on minimising the impact of cyber attacks.

Additional resources

National Cyber Security Centre (NCSC)

  • Sign up to National Cyber Security email updates on threat risk and best practice.

For Boards:

  • Understand how to better discuss cyber security at the c-suite level with the NCSC’s Board Toolkit. You can also download in full, here.

For SMEs

  • Discover the NCSC’s 10 Steps to cyber security
  • Visit the NCSC news page to learn more and better understand any changes to the cyber risk landscape
  • When was the last time your firm tested its response to a critical cyber incident? This ‘Exercise in a Box’ online tool from the NCSC can help you work through what to do and practice your response to a cyber attack
  • Concerned about ransomware? The NCSC recognise that ransomware is the main cyber threat UK businesses face so have launched a new Ransomware Hub
  • The latest figures show fewer firms falling victim to cyber attacks, but SMEs are still less proactive than they should be, read more from the National Cyber Security Centre's Sarah Lyons.

CBI

  • Catch up on the CBI @10am on ‘cyber security – assessing risk and building resilience’, or listen to the podcast
  • Watch the CBI @10am webinar on the Ukraine conflict, economic sanctions, and cyber security. You can also find the podcast, here
  • Find out more about the UK government’s National Cyber Strategy and what it means for your business
  • Watch the CBI’s webinar on cyber security for SMEs
  • Alongside essential cyber security controls, small businesses need to be ready to cope and deal with a potential cyber incident.
  • At the CBI’s Cyber Security conference in 2019, we discussed why boards must be involved in cyber defence, check it out
  • Discover some questions to ask to be more cyber resilient
  • The CBI hosted a joint session with the National Cyber Security Centre to help businesses move from awareness to action on cyber. Check out Susannah Odell’s reflections on the session (CBI Head of Digital Policy), the role of business in cyber resilience, and the tools available to help your business take the next step.

CBI @ 10am

Podcast: Cyber security - assessing risk and building resilience

Listen