While the CSR Bill represents a critical step forward in enhancing the UK’s cybersecurity infrastructure, it must go further, argues Andrew Rose
The Cyber Security and Resilience (CSR) Bill, introduced in the King’s Speech, comes in response to a series of high-profile attacks targeting critical national infrastructure. It is a pivotal advancement in the UK’s efforts to safeguard its digital infrastructure amid an increasingly perilous cyber threat environment. According to SoSafe’s Human Risk Review, a substantial 85% of security professionals in the UK agree that the current threat landscape is the most challenging it has been in the past five years. Half of security professionals in the UK have experienced a successful cyber attack in the last year, and 60% perceive a high risk of a cyber attack having a substantially negative impact on their organisation. This highlights the urgent need for enhanced defences and a proactive approach to cybersecurity.
Key provisions of the bill
The CSR Bill seeks to both modernise and expand the UK’s outdated cybersecurity regulations, aligning them more closely with the higher standards set by the EU’s NIS2 directive. As cyber threats continue to escalate in frequency and sophistication, the bill’s primary goal is to strengthen defences by extending regulatory requirements to a broader spectrum of organisations and enhancing regulators’ powers. This includes introducing stricter security controls across a wider range of organisations, ensuring that critical sectors are adequately protected against potential cyber attacks.
“This key feature will enable real-time sharing of attack data among sector regulators”
One of the bill’s most significant updates is the expansion of mandatory security incident reporting. This key feature will enable real-time sharing of attack data among sector regulators, fostering a more coordinated and proactive defence against cyber threats. The ability to quickly share and act on intelligence from incidents can drastically reduce the time it takes to detect and respond to threats. This allows organisations to prioritise their defences more effectively and potentially prevents cyber attacks from causing significant harm across industries.
The importance of human factors in cybersecurity
While the CSR Bill introduces promising advancements, several areas could benefit from further attention, particularly concerning the human aspects of cybersecurity. Human behaviour plays a pivotal role in most cyber attacks. The research and consulting company Forrester predicts that 90% of all cyber attacks in 2024 will exploit human emotions.
The bill should emphasise user education and training, which is essential for cultivating a well-informed and vigilant workforce. Additionally, the importance of building a strong cybersecurity culture deserves greater recognition. Furthermore, the bill could better address the role of human-centric design in cybersecurity tools and policies and include provisions that promote psychological safety, enabling employees to report mistakes or potential security incidents without fear of reprisal.
74% of organisations in the UK have increased cybersecurity budget in the last two years
Many companies in the UK have already recognised the importance and are acting accordingly. Our review reveals that 94% of security professionals in the UK prioritise establishing a strong security culture. Almost all organisations (99%) involve senior executives and the board in cybersecurity governance and decision-making. Moreover, three-quarters of UK respondents report an increased focus on security over the past three years, with cybersecurity becoming a core component of business strategy for 67% of organisations. Almost three-quarters (74%) of organisations have increased their cybersecurity budget in the last two years, driven by the growing threat landscape and technological advancements. This figure is significantly higher in the UK compared to the overall respondent rate of 58%.
Making cybersecurity a collective responsibility
While the CSR Bill represents a critical step in enhancing the UK’s cybersecurity infrastructure, it must go further to safeguard our digital future. The bill’s current focus on regulatory compliance and incident reporting is vital, but it should strongly emphasise the human factor in cybersecurity.
The impressive efforts already being undertaken by many companies in the UK to integrate cybersecurity into their business strategies are commendable. However, these practices must be standardised and extended across the entire nation. By making these efforts mandatory, we can ensure that every organisation, regardless of size or industry, contributes to a resilient digital environment where security becomes second nature. This approach protects businesses and empowers individuals, making cybersecurity a shared responsibility that extends from the boardroom to every employee’s desk. In doing so, we can build a more secure future for all.
Andrew is the chief security officer at SoSafe, the EU’s leading security awareness company. Andrew has 25+ years of experience as CISO for UK Air Traffic Control, Mastercard, Proofpoint, and two ‘magic circle’ global law firms; he was also a principal analyst at Forrester Research. Andrew has been recognised with many awards including ‘European CISO of the year’ (2018), ‘Best Security Awareness Campaign’ (2015), and is regularly listed in the CSO30 (2020-2023). He is also included in Onalytica’s list of the most influential global cybersecurity professionals. Andrew is a regular speaker at global security conferences such as RSA, Blackhat and Infosecurity Europe, and has contributed to media outlets such as the Wall Street Journal, The Financial Times, The Washington Post, Wired Magazine and CNBC TV.