Skip to main content
  • The CBI chevron_right
  • CBI @10am: Cyber security - assessing risk and building resilience

CBI @10am: Cyber security - assessing risk and building resilience

In this session, recorded 13 April 2022, the CBI’s Head of Digital Policy Susannah Odell, and representatives from the National Cyber Security Centre and Marsh, discuss the topic of cybersecurity and resilience, and share insights and tips firms can use to protect their staff and operations.

13 Apr 2022, 4 min read

Watch the webinar

— Our bi-weekly broadcast will help support you through the next phase, giving you expert insight and intelligence to continue adapting, and providing the guidance you need to restart and boost your business, and build resilience for the new normal.

Speakers:

  • Sarah, Deputy Director of NCSC Economy & Society, National Cyber Security Centre
  • Sarah Stephens, International Head of Cyber, Marsh
  • Susannah Odell, Head of Digital Policy, CBI
  • Liz Moseley, Editor and Partner, Tortoise Media (Chair)

In this session:

Susannah (CBI)

  • Hearing a lot from businesses across the UK about cybersecurity – it’s shot up the agenda.
  • Questions are becoming a lot more practical - what should I be doing? What's proportionate?
  • Level of seniority is changing too - moving out of IT departments and up to board level.
  • Where businesses are now: definitely growing interest and firms recognise we are in a difference place compared to a few years ago.
  • Pandemic accelerated lots of digital innovation and moving online which has increased risks for many businesses and the prizes for cyber criminals are getting bigger.
  • Training is important but so is workforce culture - rewards good security practice e.g., phishing email exercises to see if employees click on a link.
  • Cyber-resilience is a supply chain issue: questions businesses can ask are around what practices they have in place when signing contracts or starting a business journey. Who holds responsibility?
  • Also, larger companies need to consider their role in supporting SMEs in their supply chains.
  • The CBI have published a free cybersecurity action plan your business can use.

 

Sarah (National Cyber Security Centre)

  • Following the invasion of Ukraine the NCSC continues to do what we were doing before - not aware of any specific threats to UK organisations related to events in Ukraine but want to help orgaisations to be prepared and understand what they need to be ready for.
  • Have had attacks from Russian government before - use of malware - aimed at Ukraine but impacted firms across Europe.
  • NCSC are monitoring the situation closely to enable businesses to stay ahead, developing guidance, and the key message is simple - the most important action your security teams can take it to review management processes and ensure fundamental controls are in place.
  • Register for "Early Warning" which allows NCSC to inform organisations of any activity.
  • Businesses should prepare response plans: running cybersecurity exercises are effective to evaluate. Can be very cost effective way for organisations to test their cyber resilience.
  • Look at "Exercise in a Box"
  • Everyone is at risk of commodity attacks - can be exploited using readily available hacking tools, vulnerable - working out which controls are in place.
  • On office 365 - special phishing button which goes straight to the NCSC.

 

Sarah (Marsh)

  • Marsh is world-leading broker and insurance adviser and work with all sizes of companies. We try and meet clients in key "moments of truth" - in the mist of cyber-attack or when assessing risk landscape / building resilience.
  • Help clients decide where to invest e.g., money into prevention, more money into practice and whether they need insurance. Important to quantify the risk and realise a proportionate response.
  • Lots of risk experts out there - Marsh tries to bring a lot of parties together to assess cyber risks.
  • Businesses need to ask themselves “What could go wrong for us?” For example, are you reliant on a particular cloud service provider? Develop scenarios first and then think about if the worst thing happened - how much would it cost our organisation.
  • Standards and frameworks can be helpful. Marsh offers a free online tool where businesses can assess their risk and where gaps are.
  • In an ideal world there would be a layer cake around what we need companies in a supply chain to do - you can make smaller companies buy insurance. It's a way of getting some expertise and a trust stamp.
  • Ransomware has become more much prolific and very accessible to criminals – businesses should be preparing for these attacks.

The NCSC's Suspicious Email Reporting Service (SERS) enables the public to report suspicious emails by sending them to report@phishing.gov.uk.

The SERS analyses the emails and if found to contain links to malicious sites, seeks to remove those sites from the internet to prevent the harm from spreading.

This guidance describes how to configure the Office 365 ‘Report Phishing’ add-in for outlook.

Configure O365's Phishing report add-in for SERS - NCSC.GOV.UK

Register for our next webinar

CBI @ 10am

Podcast: Cyber security - assessing risk and building resilience

Download