UK boards are getting better at understanding cybersecurity as a strategic issue, but still lack crucial awareness of the impact of attacks on their organization, according to a new government report.
The FTSE 350 Cyber Governance Health Check 2018 features data collected from interviews with the top 350 businesses in the UK, across multiple sectors.
It found that although 72% of respondents now consider cyber risks to be “high” or “very high” in comparison to all business risk, only half (54%) claimed their board understanding of business-critical assets was “fairly comprehensive” or “comprehensive.”
What’s more, only 16% claimed their board has a comprehensive understanding of the impact of loss or disruption associated with cyber threats. Unsurprisingly perhaps, those boards with a more comprehensive understanding of cyber threats and their impact have more extensive governance processes in place, the report continued.
Further, whilst nearly all FTSE 350 firms (96%) have a cybersecurity strategy in place and 88% report boards being actively engaged in cyber risk management, only 60% said they’ve agreed and formalized their risk appetite, whilst less than half (46%) have a dedicated budget for cybersecurity.
Nearly all (95%) FTSE 350 firms have an incident response plan in place, but only 57% test it regularly and just a quarter externally audit these plans.
Supply chain risk is also a major blind spot for firms. While three-quarters 73% of respondents claimed to recognize supply chain risk, less than a quarter (23%) said the same for risks associated with firms they’re not directly contracted with.
Nearly three-quarters of respondents (71%) said they information boards receive on cyber risk is up-to-date and robust, although just 53% claimed it is comprehensive. Firms that have a CISO in place are more likely to describe this info as comprehensive, the report found.
The report also found the General Data Protection Regulation (GDPR) has improved awareness of cyber issues among boards. Over three-quarters (77%) of FTSE 350 firms said board discussion and management of cybersecurity had increased since May 2018, with more than half also introducing enhanced security measures as a result.
Kevin Williams, head of KPMG UK’s cybersecurity practice, argued that cybersecurity is a business, not an IT issue.
“Some of the more successful companies ensure regular reporting on cyber risks directly to the board, creating clear line of sight between the business and the risk. They also ensure regular testing of their capabilities to respond to information security incidents,” he added.
“The 2018 survey shows that we are moving in a positive direction, but there continues to be a need for a more comprehensive understanding of the impact of loss or disruption associated with cyber threats to an organization. The investment needs to be not only financial but in education for all and ensuring the right resources are in place to innovate, and take advantage of new technological advances, whilst assessing the risks and responding accordingly.”
The National Cyber Security Centre (NCSC) last year introduced a board toolkit to help firms better understand their cyber risk.