Directors and company boards are being urged to shore up their cyber defences using new guidance published today, in a bid to protect their organisations from the growing tide of online threats.
A new Code of Practice launched by the Cyber Security Minister in early April (2025), sets out how business leaders can protect their day-to-day operations and secure future growth for the British economy – the engine driving the government’s plan for change.
Actions include having a cyber strategy in place to ensure cyber risk management effectively supports business resilience and growth. Other key actions include promoting a cyber secure culture so employees at all levels know what to look out for, and putting incident response plans in place, allowing organisations to quickly respond to incidents when they occur.
The Code has received backing from across UK industry with organisations including the Institute of Directors, EY and Wavestone welcoming the launch.
Cyber attacks have become increasingly common, with 74% of large businesses and 70% of medium-sized firms experiencing attacks and breaches in the past year. Cyber threats cost the UK economy almost £22 billion a year between 2015 and 2019, with significant knock-on effects to daily operations and an organisation’s long-term reputation.
With a third of large businesses lacking a formal cyber strategy and nearly half of medium firms operating without an incident response plan, the Code provides the direction leaders need to take control of their cyber risk.
Cyber Security Minister Feryal Clark said:
A successful cyber attack doesn’t just have the potential to grind operations to a halt – it could drain millions from the bottom line.
If we want to drive the economic growth which is fundamental to our Plan for Change, then we need to stand side-by-side with British business leaders as they face down that threat.
Our new Cyber Governance Code of Practice does exactly that – setting out in clear terms steps organisations should take to safeguard their day-to-day operations, while also securing the livelihoods of their workers and protecting their customers.
NCSC CEO Richard Horne said:
In today’s digital world, where organisations increasingly rely on data and technology, cyber security is not just an IT concern – it is a business-critical risk, on a par with financial and legal challenges.
From my experience working alongside senior leaders across both private and public sectors, I’ve seen first-hand how robust cyber governance is essential to drive resilience, support growth, and help to ensure long-term success.
I urge all board members to engage with the new Cyber Governance resources unveiled today and make cyber security an integral part of their governance. Cyber security is a leadership imperative.
The Cyber Governance Code of Practice is the foundation of this new support package, developed in partnership with the National Cyber Security Centre and industry leaders setting out key actions boards should take to strengthen accountability and reduce risk. It’s supported by online training to help implement the Code, and a detailed Board Toolkit with further practical guidance. This will arm businesses with confidence in the tools they deploy to protect themselves online, safeguarding their businesses, their workers, and their customers.
This package, also produced in collaboration with Non-Executive Directors, ensures boards have practical, relevant resources to deepen their understanding and effectively govern cyber risks.
Small businesses looking to strengthen their online defences are encouraged to engage with the NCSC’s Small Business Guide, which provides quick and easy actions to help bolster their defences and support through the Cyber Local scheme which provides tailored funding to boost the regional cyber skills.
Cyber security has become a central part of the government’s plans to secure the digital services which drive growth across the country to deliver on its Plan for Change.
A set of proposals which will protect the UK’s supply chains, critical national services, and IT service providers and suppliers, will be introduced to Parliament later this year. This will see hospitals and energy suppliers boost their cyber defences, protecting public services, and safeguarding growth.
John Edwards, UK Information Commissioner, said: “With cyber incidents increasing across all sectors, it is crucial for organisations and businesses to take a proactive approach to cyber security governance, including putting the appropriate security measures and training in place to protect people’s data while boosting innovation. We welcome the new Cyber Governance Code of Practice and would encourage organisations to prioritise the digital safety of their assets and, ultimately, their reputation.”
