UK Cybersecurity Strategy: 5 Things To Keep In Mind

We’ll start by saying there isn’t anything inherently different about a U.K. cybersecurity strategy compared to one in, say, the U.S. But many countries do face some specific cybersecurity strategy challenges, whether they’re regulatory or situational—and the U.K. is no exception.

With this in mind, we’ve outlined five things to keep in mind as you formulate your strategy to protect your organisation.

1. Learn to mitigate insider threats by monitoring permissions.

CISO Reporting to Board eBook

Get the inside scoop on the metrics that matter.

Read The eBook
Button Arrow

Every organisation should make it a goal to provide employees with the level of network access they need to do their job and nothing more. The majority of employees do not need access to every single piece of data in an organisation—and if you give out unlimited access to your corporate network, you’re drastically increasing your chances of an insider-based cyberattack.

A recent InfoSecurity article highlighted how cybersecurity incidents have increased in the U.K. over the last year and how insiders are playing a major role in this. Andrew Dalglish, the director of Circle Research, notes:

“Not only are security breaches becoming more lucrative for attackers, research highlights that the weakest link in many businesses' security systems often comes from within... Intentional or not, the very people working for a business can pose the biggest threat to its security and the security of customer data.”

2. Don’t underestimate phishing attacks.

According to the 2016 Verizon Data Breach Investigations Report (DBIR), as summarised in this TripWire article, there were 9,576 reported phishing incidents in 2015—and 916 of those phishing attacks reported a breach of data. And in a study done by market research company Circle Research, 57% of respondents (all U.K.-based) indicated that they had experienced a phishing attack in 2015. The moral of the story? Phishing attacks are not to be underestimated.

3. Prepare employees by running tabletop exercises.

According to a study done recently by AXELOS, many U.K. organisations are not properly training employees on cybersecurity. The research shows that “82 percent of companies in the UK are using traditional learning methods that include information security training on computers and e-learning,” while “less than a third use newer methods such as animations, games and simulations.” And while 99% of respondents in senior management believe training helps mitigate security risk, only 47% are changing their training tactics based on employee actions.

One of the best ways to ensure your employees are prepared for cybersecurity practices is to run tabletop exercises before a breach occurs. Don’t forget to put plans in place for notifying law enforcement, forensics firms, customers, and investors and dealing with potential financial or reputational harm.

4. Know precisely where your data is located.

A recent study by UKFast, as reported by SC Magazine, showed that 47% of IT leaders in EU organisations do not know the “geographical location” of their “critical and personal data.” Lawrence Jones, CEO of UKFast, notes, “This is a big issue for British businesses. If they don't know where their data is being stored then how can they reassure their customers, or the courts, that it is secure and not at risk of interference?”

Not only should you know the physical location of your data, but you should also know who has access to it, why, and to what degree. These are all vital aspects of your cybersecurity strategy.

5. Keep government and EU regulations at the forefront of your mind.

The U.K. seems to be experiencing a number of high profile data breaches as of late—but this could simply be a byproduct of the re quirement of public disclosure. At any rate, it is clear that the government has recognised the importance of proper cybersecurity and agrees that U.K. businesses need to be doing something about it. There are many materials offered by the government in regard to cybersecurity, but a great deal of them are very high-level and don’t provide the detail-laden information you need to create a comprehensive cybersecurity strategy.

The EU’s Data Protection Regulation (GDPR) has the potential to make a major impact on U.K. businesses as well and should be taken into consideration. (Of course, depending on the outcome of the upcoming referendum, the U.K. will not be impacted by the GDPR. This remains to be seen.)


You may already have a cybersecurity strategy in place, but it might be past time to review it and ensure that you’re covering your organisation as comprehensively as possible. A major cybersecurity breach can spell catastrophe—and while you can’t completely avoid this kind of attack, you can have proper controls in place to mitigate its effects.