Many top UK boards still do not understand the impact of a cyber attack on their business, the latest government Cyber Governance Health Check reveals.
Fewer than one in five boards can claim to understand the impact of loss or disruption associated with cyber threats, despite 96% having a cyber security strategy in place.
The report on the approach the UK’s FTSE 350 companies take to cyber security also reveals that even though 95% have cyber incident plans in place, only around half (57%) actually test them on a regular basis.
Digital minister Margot James said that while world-leading companies are well aware of the risks, more needs to be done by boards to make sure that they do not fall victim to a cyber attack.
“This report shows we still have a long way to go, but I am also encouraged to see some improvements are being made.
“Cyber security should never be an add-on for businesses and I would urge all executives to work with the National Cyber Security Centre [NCSC] and take up the government’s advice and training that’s available,” she said.
Improvements highlighted in the latest report for 2018 include the fact that awareness of the threat of cyber attacks has increased. Almost three quarters (72%) of respondents acknowledge the risk of cyber threats is high, compared with just 54% in 2017.
The report shows that the full implementation of the EU’s General Data Protection Regulation (GDPR) and the UK’s GDPR-aligned Data Protection Act 2018 in May 2018 has had a positive effect in increasing the attention that boards are giving cyber threats, with more than three quarters (77%) of respondents saying that board discussion and management of cyber security had increased since implementation of the GDPR. As a result, more than half of those businesses had also put in place increased security measures.
Ciaran Martin, CEO of the NCSC, said every company needs to grasp fully their own cyber risk. “That is why we have developed the NCSC’s Board Toolkit to help them.
“This survey highlights some urgent issues companies will be able to address by putting our Toolkit’s advice into practice.
“Cyber security is a mainstream business risk, and board members need to understand it in the same way they understand financial or health and safety risks.”
Alongside the publication of the health check report, the government said that more work is being done to improve the cyber resilience of business, announcing a project aimed at helping companies understand their level of resilience.
The cyber resilience metrics will be based on a set of risk-based principles to allow firms to measure and benchmark the extent to which they are managing their cyber risk profile effectively, said the Department for Digital, Culture, Media and Sport (DCMS).
Once developed, DCMS said these indicators will provide board members with information to understand where further action and investment is needed.
Improving the management of risks
The government is recommending that the boards of UK companies continue to make improvements to their cyber security. This includes using the guidance published by the NCSC to improve the management of risks.
Companies should also ensure cyber risks are taken into account in their business strategy and appoint a chief information security officer (CISO) or other appropriately placed staff members who can clearly communicate information about cyber risks to the board, the government said.
The Cyber Governance Health Check is part of the government’s National Cyber Security Strategy 2016-2021 that is backed by a £1.9m investment and aimed at making the UK the safest place to live and do business online.
The 2018 FTSE 350 Cyber Governance Health Check was undertaken in partnership with Winning Moves and support from EY, KPMG, PwC and Deloitte.
Richard Horne, cyber security partner at PwC, said boards need to recognise that they have a responsibility to drive changes to business and IT operating models to enable their organisations to be securable. “Managing cyber risk is about far more than just building security controls and requires board-driven business change,” he said.
Gavin Cartwright, associate partner for cyber security at EY, said that with only one in five FTSE 350 companies undergoing a cyber simulation last year, the report highlights that cyber security is still not fully embedded in the culture of many of these companies.
“In addition to having cyber security strategies in place, organisations and their boards need to continually build and invest in their in-house capabilities, practice responses and train and evaluate cyber-first responders across their business and supply chain.”
Kevin Williams of the KPMG UK cyber security practice said cyber security is a business issue – not an IT one. “Some of the more successful companies ensure regular reporting on cyber risks directly to the board, creating a clear line of sight between the business and the risk. They also ensure regular testing of their capabilities to respond to information security incidents.”
While the 2018 survey shows some positive trends, Williams said there continues to be a need for a more comprehensive understanding of the impact of loss or disruption associated with cyber threats to an organisation.
“The investment needs to be not only financial, but in education for all and ensuring the right resources are in place to innovate, take advantage of new technological advances, whilst assessing the risks and responding accordingly.”