lolloj - Fotolia

Top UK directors lack training to deal with cyber attacks

The UK’s top firms and charities urgently need to do more to protect themselves from online threats, according to a government-backed audit

The latest government cyber governance health check and a survey of the UK’s top 350 companies have revealed that more than two-thirds of boards have not received training to deal with a cyber incident.

The annual cyber health checks are carried out in collaboration with the audit community, including Deloitte, EY, KPMG and PwC. The reports said 68% of company directors had no cyber incident response training, despite more than half saying cyber threats were a top risk to their business.  

One in 10 FTSE350 companies admitted they operate without a response plan for a cyber incident, and less than a third of boards receive comprehensive cyber risk information.

Digital minister Matt Hancock said the UK may have world-leading businesses and a thriving charity sector, but recent cyber attacks have shown the devastating effects of not having the right approach to cyber security.

“These new reports show we have a long way to go until all our organisations are adopting best practice and I urge all senior executives to work with the National Cyber Security Centre (NCSC) and take up the government’s advice and training,” he said.

Significant threat

Zubin Randeria, cyber security leader at PwC, said the reports echo the findings of the PwC CEO Survey, which found that three-quarters of UK CEOs consider cyber risks to be a significant threat to their business and 97% are addressing cyber incidents.

“It’s positive that cyber security is now front of mind for boards and business leaders, but concerning that many still are not equipping themselves with the right knowledge to respond when the worst does happen,” he said.

The latest annual health check, however, revealed there has been progress since last year, with more than half of FTSE350 boards now setting out their approach to cyber risks, up by 20 percentage points to 53%, and more than half of businesses having a clear understanding of the impact of a cyber attack, up from 49% to 57%.

Phill Everson, head of cyber risk services at Deloitte, said this year’s cyber health check marks a clear improvement in board level awareness of cyber risks and their impacts, driven in large part by high-profile, cross-sector incidents.

“There is still some way to go, though, as the findings show that many boards still do not have a defined role to lead a company-wide response. This corroborates the recent Deloitte analysis of FTSE100 annual reports, which found that just 5% disclose having a board member with specialist technology or cyber experience,” he said.

Board-level priority

Stuart Whitehead, head of cybersecurity, privacy & resilience at EY in UK and Ireland, said it is good to see that cyber is increasingly a board-level priority among the largest companies. “But there is still some way to go to best prepare organisations for a potential breach.  With the current backdrop, the cyber agenda is evolving into a conversation about organisations’ resilience to cyber-attacks. This is not only how organisations protect themselves but how they respond to an incident, recover business processes and limit the impacts to revenue and reputation,” he said.

The government said in a statement that it is fully committed to defending against cyber threats, with a five-year National Cyber Security Strategy announced in November 2016, supported by £1.9bn of investment. This includes opening the NCSC and offering free online advice as well as training schemes to help businesses protect themselves.

The government has also published a guide titled 10 Steps to Cyber Security, which sets out a framework to help company boards manage cyber risks, from getting the basics right through to protecting their most critical assets, while the Cyber Essentials scheme sets out the technical basics all companies should have in place.

The government has also announced proposals on how to help the UK’s essential industries be more resilient to cyber threats through the NIS Directive.

Alex Dewdney, NCSC director for engagement, said that while the NCSC is committed to making the UK the safest place in the world to live and do business online, everyone has a part to play.

“That’s why we’re committed to providing organisations with expert advice through our website and direct engagement. We also urge organisations to follow the guidance in the government’s Cyber Essentials Scheme,” he said.

Security at charities

Separate research looking at the cyber security of charities found that charities are just as susceptible to cyber attacks as businesses, with many staff not well informed about the topic, and awareness and knowledge varying considerably across different charities.

Other findings show those in charge of cyber security, especially in smaller charities, are often not proactively seeking information and rely on outsourced IT providers to deal with threats.

“Charities must do better to protect the sensitive data they hold and I encourage them to access a tailored programme of support we are developing alongside the Charity Commission and the National Cyber Security Centre,” said Hancock.

Charities need to do more to educate their staff about this threat and ensure they dedicate enough time and resources to improving cyber security
Helen Stephenson, chief executive, Charity Commission for England and Wales

Where charities recognised the importance of cyber security, the study found this was often due to holding personal data on donors or service users, or having trustees and staff with private sector experience of the issue. Charities also recognised that those responsible for cyber security need new skills and that general awareness among staff needs to increase.  

Helen Stephenson, chief executive of the Charity Commission for England and Wales, said charities have lots of competing priorities, but the potential damage of a cyber-attack is too serious to ignore.

“It can result in the loss of funds or sensitive data, affect a charity’s ability to help those in need, and damage its precious reputation. Charities need to do more to educate their staff about this threat and ensure they dedicate enough time and resources to improving cyber security.

“We want to make sure charities are equipped to do this, and we encourage them to use the advice on our Charities against fraud website. We also continue to work closely with the government to help charities protect themselves online.”

Data protection

The 2017 FTSE350 Cyber Governance Health Check included for the first time questions about data protection in the light of the government’s new Data Protection Bill, which is expected to come into effect in May 2018, effectively aligning UK law with the EU’s General Data Protection Regulation (GDPR).

Responses revealed that awareness of GDPR is good, with 97% of firms saying they are aware of the new regulation and almost three quarters (71%) saying they were “somewhat prepared” to meet the GDPR requirements.

However, only 6% are fully prepared, just 13% said GDPR was regularly considered by their board, and 45% of boards said they are most concerned with meeting GDPR requirements relating to an individual’s right to personal data deletion.

Read more about GDPR

The Information Commissioner’s Office (ICO) has produced guidance for organisations on implementing the regulation, including a checklist for businesses on the actions they need to take; and a series of interactive workshops and webinars.

The ICO will also produce guidance for organisations about responsibilities under GDPR and for individuals on their rights under  GDPR. The Department for Digital, Culture, Media and Sport will continue to work closely with the ICO during this transitional period, the government said.

KPMG’s Paul Taylor said it is “worrying” that with less than a year to go, many organisations still have a lot to do. “GDPR will affect organisations in the UK and worldwide that have any dealings with consumers and businesses in EU member states. The regulation sets a new bar for customer and client privacy expectations, but the truth is that many just don’t understand what they have to do and how to deal with it," he said.

“Boards need to take GDPR as a warning to rethink how they collect, store, use and disclose personal information. Done right this can transform their business model helping match services to client needs; done wrongly then they run a growing risk of data breaches and subsequent enforcement action with the prospect of fines up to 4% of global turnover," he added

“Board members need to take collective responsibility for cyber security and consider it in every aspect of the business. If they can do that, then perhaps cyber security will become mainstream and a vital component of doing business in our digital world."

Read more about the NIS Directive

Read more on Data breach incident management and recovery