Blog

Companies need to do more to mitigate the potential effects of cyber-attacks, the head of GCHQ has said, including making physical, paper copies of crisis plans to use if an attack brings down entire computer systems.

“What are your contingency plans? Because attacks will get through,” said Anne Keast-Butler, who has headed GCHQ, the British government’s cyber and signals intelligence agency, since 2023.

“What happens when that happens to you in a company, have you really tested that?” said Keast-Butler, speaking on Wednesday at a London conference organised by the cybersecurity company Recorded Future. “Your plans … have you got them on paper somewhere in case all your systems really go down? How will you communicate with each other if you’re completely reliant on a system that actually you shut down?”

Last week, the National Cyber Security Centre, which is part of GCHQ, announced figures showing that “highly significant” cyber-attacks have risen by 50% in the past year. Security and intelligence agencies are now dealing with a new attack several times per week, the figures showed.

Keast-Butler said the government and business needed to work together to tackle future attacks and improve defensive systems, as modern technology and artificial intelligence make the threats more diffuse and reduce “the entry level capability” that malicious actors need to do damage. She said work with internet service providers to block malicious websites at source was “blocking millions of potential hits” but said major companies needed to do much more to protect themselves.

On Tuesday, a report by the Cyber Monitoring Centre (CMC) said the hack of Jaguar Land Rover had cost the UK economy an estimated £1.9bn, which could make it the most costly cyber-attack in British history.

JLR had to shut down systems across all its factories and offices after the attack in August, and may not be able to return to normal production capacity until January.

Keast-Butler said “[there are] far, far, far more attacks that get stopped than the ones that we’re focusing in on”, but added that the increased publicity around the JLR and several other major cyber-attacks provided a good moment to ram home the importance of cybersecurity protocols.

She said she spoke regularly to CEOs of major companies and one of her messages to them was that they need to put people who understand cybersecurity on their boards. “Quite often, the way boards are configured, they don’t have people who will know the right questions to be asking. So the interest is there, but the right questions don’t get asked,” she said.

Earlier this year, the Co-op Group suffered a cyber-attack that cost it up to £120m in lost profits and compromised the personal data of some of its members. Shirine Khoury-Haq, the group’s CEO, released an open letter in the aftermath detailing the importance of cybersecurity drills to build strategy on how to deal with an attack.

“The intensity, urgency and unpredictability of a live attack is unlike anything you can rehearse. That said, those drills are invaluable; they build muscle memory, sharpen instincts, and expose vulnerabilities in your systems,” wrote Khoury-Haq.

Keast-Butler encouraged companies to share information on attacks with government agencies, saying that “safe spaces” had been set up to enable them to do so without the risk of giving away commercially sensitive information to competitors.

“I think sometimes people are a bit too reticent to come forward because there’s a sort of personal thing on them or their company as a whole. And that doesn’t help any of us, because then they’re not making the kind of long-term strategic systems changes that we can help out with,” she said.