Boards Still Aren't Taking Cybersecurity Seriously, Warns New NCSC Boss. That Means Everyone Is At Risk

Cybersecurity still isn't taken as seriously as it should be by boardroom executives – and that's leaving organisations open to cyber attacks, data breaches and ransomware, the new boss of the National Cyber Security Centre (NCSC) has warned.

In her first speech since taking the helm of the UK cybersecurity agency, CEO Lindy Cameron said cybersecurity should be viewed with the same importance to CEOs as finance, legal or any other vital day-to-day part of the enterprise.

"The cybersecurity landscape we see now in the UK reflects huge progress and relative strength – but it is not a position we can be complacent about. Cybersecurity is still not taken as seriously as it should be, and simply is not embedded into the UK's boardroom thinking," said Cameron during a speech at Queen's University, Belfast.

"The pace of change is no excuse – in boardrooms, digital literacy is as non-negotiable as financial or legal literacy. Our CEOs should be as close to their CISO as their finance director and general counsel."

SEE: Security Awareness and Training policy (TechRepublic Premium)

Recent cyber incidents, including the cyber-espionage campaign exploiting SolarWinds and cyber attackers taking advantage of zero-day vulnerabilities in Microsoft Exchange Server, are just two examples of how organisations can find themselves facing large-scale cyberattacks.

The NCSC says it helped detect and remove malware related to the Exchange attack from 2,300 machines at businesses in the UK. The aftermath of the attack has seen cyber criminals rush to exploit vulnerabilities before organisations have had a chance to apply the critical updates required to protect them.

"As our reliance on technology grows, it sadly also presents opportunities for those who want to do us harm online," said Cameron, who cited ransomware as a major cybersecurity issue for businesses.

"Ransomware remains a serious – and growing – threat, both in terms of scale and severity. Ransomware is not just about fraud – and theft – of money or data, serious as both are. It's about the loss of key services and unenviable choices for unprepared businesses."

Such is the extent of the problem of ransomware targeting schools, colleges and universities in recent months, the NCSC put out an alert about the issue, with advice on how institutions can protect themselves. 

SEE: Phishing: These are the most common techniques used to attack your PC

While digital technology brings many benefits, it also brings risks, as cyber criminals, nation-state hacking operations and others attempt to take advantage of vulnerabilities for their own ends: whether by stealing vast amounts of information, or attempting to compromise critical infrastructure.

"We need to ensure that our adversaries – be they state or criminal, traditional or new – think twice before attacking UK targets," said Cameron. "And we need to ensure that future generations are better equipped to deal with this complexity than any of their predecessors."

MORE ON CYBERSECURITY

• This company was hit by ransomware. Here's what they did next, and why they didn't pay up
• 5 ways to lock down your Microsoft 365 account and keep hackers out
• Four out of five companies say they've spotted this cyberattack. Plenty still fall victim to it
• How to better defend your organization against remote access threats
• Exchange Server security patch warning: Apply now before more hackers exploit the vulnerabilities