The heads of the UK’s intelligence agencies MI5 and GCHQ have called on the country’s top 350 listed companies to take part in a cyber governance health check
The call comes a day after a report by business consultancy firm KPMG revealed that cyber leaks at FTSE 350 firms are putting the UK’s economic growth and national security at risk and retailer Lakeland revealed it had been targeted by a “sophisticated and sustained” cyber attack.
An analysis by KPMG’s cyber response team reveals that companies vital to the UK’s economic growth and crucial to national security are leaking data that can be used by cyber attackers.
Almost 80% of large UK companies and 87% of smaller businesses experienced a data breach in the past year, according to the Cyber Security Breaches Survey published by the Department for Business, Innovation and Skills (BIS) in April.
The government lunched the 10 Steps to Cyber Security initiative in September 2012 and a Cyber Incident Response scheme in November to help businesses improve cyber security.
But after a limited uptake by UK business, the government has announced a cyber governance health check to ensure cyber awareness goes all the way to the top of a company, reported the Financial Times.
The first part of the health check is in the form of a questionnaire to assess how well the company handles issues such as protecting intellectual property and safeguarding customer data. The questionnaire is to be completed by both the chairman of the company and the chair of the company’s audit committee.
By involving the company and audit committee chairs, the health check aims to include existing internal vulnerabilities linked to governance typically overlooked by information security chiefs.
The results will be aggregated on an anonymous basis to enable companies to benchmark themselves against their peers.
Science minister David Willetts, who signed the letter along with Andrew Parker of MI5 and Iain Lobban of GCHQ, said the health check will show how aware companies are of cyber security issues and what sort of risk assessments they have put in place.
The government plans to publish some overall data in October or November 2013.
The second stage of the health check will be involve a detailed discussion with the company’s audit firm about areas in which a company may be particularly vulnerable.
Mark Brown, director of information security at Ernst & Young, welcomed the cyber health check plan and called on all businesses who received the letter to take part in the survey.
“This is the first major step towards taking the theoretical framework that was the Cyber Security for Business Initiative launched in 2012 into practical implementation and presents businesses with an opportunity to embed cyber checks into their standard corporate behaviour,” he said.
However, brown noted with 88% of businesses in the UK reporting an increase in cyber-attacks, according to Ernst & Young’s latest Global Information Security Survey, he said the current plans do not go far enough.
“The threat is relevant to and should be embraced by the wider business community proportionally. The current plan should expand to include suppliers to FTSE350.
“This is the only way to ensure that their supply chains don’t continue to pose an indirect risk to businesses in and out of the index, nor do they cancel the positive impact of this initiative,” he said.
With the cyber threat affecting potentially every aspect of an organisation, including its finances and reputation, Brown said now is the time for the business community to seize the initiative, understand the cyber risks and put pragmatic and balanced systems in place to counter them.
Read more about cyber security
- UK takes cyber threats to infrastructure seriously
- UK government sets up cyber security fusion cell
- Cyber attacks top banking risk, says Bank of England
- UK to launch public cyber security awareness campaign
- Israel launches cyber warfare training programme
- Half of companies lack cyber threat knowledge
- Top cyber threats underline need for security awareness
- Cyber security at US energy agency found wanting