Does the UK Government's new Cyber Governance Code of Practice go far enough?

The Governments new 'code of practice' will set the standard for cyber security education in business leaders across the UK, but is this really effective without the right technology?

The potential benefits of the UK’s rapidly growing cyber landscape are huge, unlocking new opportunities and ways of working while creating new jobs to grow every sector of the UK economy. However, this also means the risks associated with growing an increasingly digital economy need to be addressed with practical actions.

Following Government research that almost one in three firms have suffered a cyber breach or attack in the past year, including one which took the NHS 111 service offline, The Government has proposed The Cyber Governance Code of Practice which, when met, allows organizations to obtain the “Cyber Essentials certificate” which demonstrates they have cyber security controls in place.

The code sets out key actions for senior management (director level and above) to take to strengthen their cyber resilience to take full advantage of digital technologies which can fuel innovation and drive competitiveness in an increasingly hybrid world.

The UK Government’s recent introduction of the Code of Practice is a step in the right direction for all organizations to approach cyber risk, but to secure The UK’s credentials as a cyber power and protect our economy, the code needs to offer instruction into how organizations can improve network security.

One example of the Code of Practice falling short of successfully protecting organizations in the United Kingdom against cyber attacks is with the hybrid working revolution. Hybrid- and remote-work models have brought greater flexibility to employees and uninterrupted productivity for organizations, but cyber security becomes more complex when a business is dealing with a dispersed workforce.

Implementing an edge-to-cloud approach

In the past, businesses hosted the bulk of their applications and services in their on-premise datacenters, with enterprises applying a "Castle-and-moat" security model in which no one outside the network can access data on the inside, but everyone inside the network can. Although this security mode can employ technology such as firewalls to protect against external attacks, they are not effective at stopping internal attacks and data breaches. Today, organizations are embracing a cloud-first approach that necessitates a far more sophisticated network architecture to maintain a secure and effective experience.

Since most applications have migrated to cloud computing models, businesses now have the opportunity to reduce latency with a distributed security model. By deploying cloud-based technologies such as an advanced Software-Defined Wide Area Network (SD-WAN) and Security Service Edge (SSE) solution, IT teams are empowered to simultaneously secure the corporate network and improve the end-user experience.

With such technology in place, traffic generated from hybrid-work employees can be sent to a cloud-delivered security service that enforces access policies and delivers smooth connectivity. Deploying an integrated network security framework 

Workplace technologies (and the strategies that govern them like the Cyber Governance Code of Practice) must continuously keep up with the demands of hybrid work and the ever-evolving threat landscape. Although the code covers senior management's need for a more holistic understanding and approach to cybersecurity, it doesn’t consider the technology needed to enable this.

That’s why secure access service edge (SASE), a combination of the two “technology sets” — SD-WAN and SSE — spanning core security principles such as Zero Trust, must become a central part of a modern organization’s IT security strategy. SASE takes a Zero Trust (never trust, always verify) approach to access privileges and user-identity security, applying this even if users access cloud-based applications remotely and not directly through the corporate network.

By deploying a Zero Trust-based SASE framework, the organization is well placed to streamline its security operations in a way that also enables the “work from anywhere” trend by reducing cyber breaches.

Expanding the boundaries of safe ‘in-office experiences’

Managing security from a single point of visibility and control, whether you are on the corporate network (through a wired, wireless, or wide-area network (WAN) connection) or accessing remotely is also important. 

Hybrid workgroups across home offices and remote locations have placed immense pressure on IT teams, who now must secure a wider range of connected devices than ever before. Without unified security policies, IT teams find themselves having to manually gather data from several disparate tools, which is complex and takes much longer.

As such, organizations must embrace technologies that can address fragmented network operations while uniformly applying Zero Trust policies with architectures such as SASE. The enablement of stronger, secure supervision of application access and easier centralized management via a single cloud-native point of control makes it easier for senior management to have a holistic view and simple understanding of their organization’s security.

By striking a balance between strong security, location-flexibility, and employee responsibility set out in the code when dealing with application access, organizations can ensure employee experience and future innovation, doesn’t increase their vulnerability to cyberattacks.

We feature the best cloud cost management service.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro