Sapsiwai - Fotolia

Cyber security study reveals lack of boardroom governance across UK industries

While 81% of UK boards have increased cyber security scrutiny after the TalkTalk breach, only 53% have data breach management plans in place, a survey has revealed

Nearly half of UK companies polled across major sectors lack well-developed crisis management plans to deal with data breaches, a study commissioned by global tech firm CGI has revealed.

While 81% of respondents said they have increased cyber security scrutiny after the TalkTalk breach, only 53% said they had data breach management plans in place, according to the survey of more than 150 UK board members by the Centre for Economic and Business Research (CEBR).

The survey also revealed that 48% of respondents said cyber security appears on the agenda only “every few months”, with many covering it less than twice a year, and only 9% of their IT budget, on average, is devoted to preventing cyber attacks.

The study is aimed at exploring how C-level executives and board members across the retail, telecoms, finance, insurance and utility sectors govern security risk, who has the responsibility for cyber security and how prepared they are to address them.

The study revealed that almost 30% of UK boardrooms in the UK’s key sectors of the economy still view cyber security as an IT issue, with only 35% of boardroom executives believing their board has a high level of personal expertise in cyber security.

This confidence level drops to just 23% for non-executive directors (NEDs), suggesting the traditional role played by NEDs to offer “constructive challenge” is not effective when it comes to managing cyber security risk.

Less than half of UK boardrooms are confident in the IT security advice they receive today. While boards in these key sectors rely on externally sourced cyber expertise for 15% of their requirements, 68% said they planned to increase reliance on external consultants in the next few years.

The CEBR survey revealed that only 9% of the respondents’ IT budget is devoted to preventing cyber attacks

Across the sectors surveyed, respondents said their companies currently assign ultimate responsibility for cyber security to CEOs (38%) and CIOs (31%) in the vast majority of cases, with specialist CISOs being empowered at just a handful of firms (3%). CEOs are the preferred choice for B2B companies, while CIOs are mostly responsible at B2C firms.

According to the survey, 38% of C-suite executives believe a cyber security breach at their organisation is likely in the next year. These businesses estimate that if their most valuable data were lost or corrupted, the average total cost over a one-year period would be £1.2m.

Telcos and utilities most at risk of cyber breach

Incorporating economic analysis by CEBR, the study revealed that the telecoms and utilities sectors are significantly exposed when compared with banking, insurance and retail. 

Telecoms and utilities are the most “at risk” sectors of the UK economy, relative to the other key sectors analysed. The telecoms sector sees itself lagging behind others, with the lowest level of boardroom cyber security expertise.

Read more about security governance

Just 29% of telecoms boards are viewed as having a high degree of expertise, while firms in this sector hold sensitive data with an average estimated value to the company of more than £42m.

Relative to other key sectors of the economy, telecoms respondents were also the least confident about the risk of attack this year, with 52% believing their company was likely to experience a significant breach in the next 12 months.

Perhaps in response, 76% of telco boards plan to increase their use of external cyber security expertise. The sector also plans to increase cyber security investment by boosting technology and personnel spend by 12% this year, compared with 7% in sectors such as retail and insurance that perceive cyber risk to be less urgent. 

The utilities industry is also at relatively high risk, with boards discussing cyber security least often – in 40% of utilities firms the issue makes the boardroom agenda just twice a year. Companies in the sector hold sensitive data estimated at more than £50m on average, but were found to be significantly behind other sectors in terms of having robust plans in place to handle a cyber event, with just one in five respondents confirming their firm’s cyber crisis management plan is well developed.

Utilities firms plan to increase cyber security investment by 14%, the second highest increase after banking, and over 70% of utilities boards plan to look to external consultants to support their plans over the next few years.

Cyber security needs C-level buy-in

Andrew Rogoyski, head of cyber security at CGI in the UK, said UK boardrooms were struggling to get a handle on the cyber security issue. “Boards know it is a risk, but are uncertain in their approach, often failing to prioritise spend on cyber security,” he said.

Encouragingly, our research shows that boards do now appear to be taking cyber security more seriously, with planned increases in scrutiny, investment and external advice
Andrew Rogoyski, CGI

According to Rogoyski, there are likely to be more high-profile breaches unless more is done to improve understanding and governance at the highest level.

“Encouragingly, our research shows that boards do now appear to be taking cyber security more seriously, with planned increases in scrutiny, investment and external advice.

“Based on CEBR’s analysis, it is clear that the telecoms and utilities industries, in particular, must accelerate these efforts, which is consistent with recent UK, US and European government action to improve the protection of critical national infrastructure,” he said.  

CGI’s recommended seven steps to improved cyber security governance:

  1. Appoint a senior executive at board level to be responsible for cyber security with the authority and know-how to address the risks.
  2. Include cyber security on every board agenda, reporting on risk to the business, nature of sensitive data and mitigation progress at a minimum.
  3. Treat cyber security as a company-wide business risk and assess as you would with other key business risks, encouraging a discussion about risk appetite, risk avoidance, risk mitigation and cyber security insurance.
  4. Ensure that the company understands the rapidly developing legal landscape that applies to cyber risk, including the emerging European legislation in the form of the General Data Protection Regulation (GDPR) and the Network and Information Security Directive (NISD).
  5. Get specialist expertise to advise and inform the board, whether from internal teams or external advisors.
  6. Set a programme of work to manage cyber risk, allowing a realistic time and budget.
  7. Demand improved security from your IT suppliers, including products, systems and services.

Read more on IT risk management