By Bruce McDougall, Cyber & Information Security Advisor, Black Arrow Cyber Consulting.
The British Chamber of Commerce is urging members to act now to strengthen cyber resilience.
That message matters here in Guernsey too, where organisations of every size are dealing with real-world impacts, including financial loss, operational disruption, and personal data breaches.
Cyber risk is now part of everyday business. The Guernsey Chamber of Commerce recommends the Cyber Governance Code of Practice to help leaders strengthen security and, just as importantly, resilience.
A New Normal
The National Cyber Security Centre describes cyber risk as “the new normal” as attackers target organisations of every size. Guernsey’s low exposure to physical threats contrasts sharply with the persistent likelihood of online attack.
The UK government has advised all organisations to plan for how they will operate during a total loss of technology, while research indicates that more than 10% of smaller organisations might not survive a major cyber‑attack if they have not prepared.
This highlights why resilience, not just security, is essential.
Security versus Resilience
Security reduces the probability of an attack, but resilience is based on the reality that nothing can be 100% secure; therefore, the business needs to withstand a cyber incident when it happens.
True resilience depends on coordinated action across people, operations, and technology, which require strong leadership and governance. This is where the Cyber Governance Code of Practice provides a clear and structured approach.
The Cyber Governance Code of Practice
The Code is a clear set of actions designed to help leaders take command of their cyber risks. It aligns with GFSC Rules and Cyber Essentials, and is built around five principles.
Two areas tend to make the biggest difference:
1) Incident planning, response and recovery
Leaders should rehearse how they would handle a realistic, challenging cyber incident.
The most valuable exercises are not the ones where technology magically prevents the worst. The valuable ones test how your leadership team responds when things do go wrong, and how you keep the business alive during an ongoing incident.
A business-focused exercise run by an impartial cyber expert can help you test assumptions, spot gaps, and build genuine resilience.
2) Assurance and oversight
The Code repeats the phrase “Gain assurance that…” for a reason. It pushes leaders towards evidence-based governance.
A practical approach is a quarterly review of cyber metrics, agreed by leadership. The key is that leaders specify the evidence they want to see, rather than only receiving whatever information a provider chooses to share.
The Code also encourages leaders to improve their own cyber literacy. Upskilling from an impartial source can help reduce blind spots and make oversight more effective.
Cyber Essentials is a good first step
Cyber Essentials is described as the minimum cyber security standard businesses should have. It covers five basic controls and is a sensible starting point.
It is not the whole solution though. Cyber Essentials alone may not meet all regulatory expectations, including GFSC requirements. Many organisations will need to build beyond it.
What to do now
A simple next step is to bring the Code to your next Board meeting and discuss how to apply it proportionally in your organisation.
If you do one thing this month, do this:
- Add cyber governance to your next board agenda.
- Agree what “evidence” the board wants to see quarterly.
- Test your incident response plan with a realistic scenario.
Helpful resources
You can access the Cyber Governance Code of Practice and supporting materials here.
You can also subscribe to Black Arrow’s free weekly Cyber Threat Intelligence Briefing email, which summarises key insights from specialist and general media for business leaders.
To learn more about Black Arrow Cyber Consultancy, click here
