More than one-third of chief information security officers (CISOs) in the UK admit they ignore cybersecurity guidance from the National Cyber Security Centre (NCSC), a new report has found.

35% of the 250 CISOs surveyed by Absolute Security openly said they do not adhere to protocols outlined by the UK government’s cybersecurity body – a major concern amid a spate of recent attacks on the likes of the British Library, Royal Mail and Ministry of Defence (MoD).

All three major UK institutions suffered severe cyberattacks between last October, when the British Library was targeted by Russia’s Rhysida cybergang, and earlier this month, when an allegedly Chinese-backed group hacked the names and bank details of thousands of UK MoD personnel.

As seen with the MoD’s decision to delegate cybersecurity of its payroll systems to Sopra Steria’s SSCL, these institutions often outsource cybersecurity operations to the same type of company – and CISO – surveyed in the report.

“While no set of standards or frameworks will eliminate the certainty of an eventual incident, NCSC guidance is there to help protect CISOs, who shouldn’t just ignore nationwide protocols,” Absolute Security’s international vice president Andy Ward tells Verdict. “Disregarding NCSC advice puts organisations at much greater risk. It jeopardises jobs, causes significant financial and reputation damage and potentially even heaps personal liability on security leaders.” 

The report was based on responses from CISOs across a range of industries, Ward tells Verdict: “50% IT/tech, 10% retail, 10% finance, 10% manufacturing, 5% education, 5% healthcare, 5% legal, 5% engineering.”

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Is the UK an easy target for state-sponsored cyberattacks?

The verdict from experts is mixed.

In the case of the British Library cyberattack, the NCSC said it “should be applauded” for refusing to pay an extortion fee to the criminals behind the ransomware attack in October.

64% of the survey’s respondents said the UK has a poor cyber resilience strategy – but any underlying susceptibility to hacking “may not be due to the UK’s resilience strategy”, an industry expert who has chosen to remain anonymous tells Verdict.

Questions have also been raised about exactly which part of the NCSC’s cyber guidance the respondents ignored.

“It is a concern that the relationship with the NCSC is seen to be a problem, with an apparent disconnect between the guidance offered and the rules followed,” the source adds. “But what is meant by the UK having a poor cyber resilience strategy isn’t clear. Individual organisations are surely responsible for their resilience strategy, not some form of national resilience strategy.”

The divide between businesses who believe in a government-led, nationally coherent cyber strategy versus individual corporate decision-making came to a head last week.

UK government officials are set to propose a new bill obliging businesses to report all ransomware attacks, Recorded Future News reported. The proposal would also make it mandatory for cyberattack victims to seek a license before making any extortion payments.

Pointing to Caesars’ decision last year to pay a ransom, contrasted to MGM’s refusal, the anonymous source concludes that “companies should have the option of paying a ransom if it’s not illegal to do so”.

“Boards have the responsibility of keeping the company’s operations running. The cyber authorities don’t – they don’t have companies to run. There is a risk in paying ransoms, and it furthers the ransomware industry, but paying a ransom is a business decision.”