If the UK is serious about digitizing the economy, then cybersecurity is priority number one and the first step should be to take a hard look at the UK Government's recently released draft code of practice for cybersecurity governance.
Whilst governments around the globe have been kicking around the metaphorical can of AI regulation, something has been going on in the background: something tangible, incredibly dangerous, and increasingly more frequent: cybercrime.
It shouldn't be the case that in an increasingly digital economy, of which the current government is supposedly a big advocate, that businesses, tech-based or otherwise, are struggling to gather the know-how and tools needed to guarantee their safety. Instead, businesses are succumbing to an influx of AI-supported cybercrime, whether that's ransomware, deepfake scams, or traditional phishing scams; 2024 has already proven it's going to be a record-breaking year for cybercrime and not in a good way!
The UK Government's current approach to AI and cybersecurity governance has been very much hands-off. Whether that's because of growing pressure from outside of the world of technology (economy, defence, impending election) or perhaps a lack of understanding from the government itself, it's leaving businesses in a precarious position with little to no direction on what to expect in the near future.
Introducing this latest code of practice for cybersecurity offers some useful content for businesses unfamiliar with cybersecurity norms. Still, it does leave the door open for these protocols to be outrightly ignored, instead of instituting legally binding legislation that would hold businesses' feet to the fire. This freedom means businesses will likely prioritise what they want rather than what they should do regarding cybersecurity.
The risks of businesses ignoring these cybersecurity threats are substantial. You need not look any further than the story of the Hong Kong business that was duped out of $25 million last month by a deepfake scam.
So, where do we go from here? Hopefully, towards greater clarity. British businesses cannot be expected to thrive in an increasingly digital economy without clear frameworks and governance that clarify accountability for companies irrespective of their size or the industries that they work within.
For strong examples of this in action, look across the pond. Last summer the US Government's SEC implemented iron-clad legislation that requires public businesses to disclose cybersecurity incidents and maintain a high standard of cybersecurity management. Furthermore, the SEC has taken an unprecedented step to require all registrants to describe the board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing material risks from cybersecurity threats.
Legislation and rulings like this demonstrate the possibility of a more accountable cybersecurity industry from the boardroom to the factory floor.
The suggested code of practice also poses questions to the Labour Party on how it plans to address technology-related issues such as cybersecurity. A topic into which it has yet to invest much time or energy.
The closer we get to the next general election, the Conservatives and Labour should anticipate that questions on AI, cybersecurity, and technology regulation will be high on the list of priorities. This could very well decide which side of the election businesses decide to support.
From conversations in my everyday working life, I have learned that a number of businesses up and down the UK still consider cybersecurity procedures and partners a 'nice to have.' These same businesses have invested swathes of money, time, and energy into the digitization of their companies and, crucially, their supply chains.
With this digital supply chain becoming a reality, it begs questions as to why equal amounts aren't being driven into cybersecurity despite cybercriminals' clear capabilities to disable and disrupt these intrinsic aspects of companies' work. As cybercriminal gangs and ransomware groups grow ever more prevalent in the UK, it points towards a clearer need for cybersecurity legislation and standards of practice instead of a code of suggested actions. Only then can British businesses hope to stand a chance against the latest wave of cybercrime.
This legislation needs to be comprehensive, but naturally achievable for British companies irrespective of size or function. To execute this, the government should seek the industry's experts to source opinions, insights and suggestions for how modern cybersecurity legislation could look and how it can help keep businesses and their employees safe from harm.
A version of this article originally appeared on UKTechNews.
