Only 5% of FTSE 100 companies say they have a tech expert on the board, despite the vast majority (87%) identifying cybersecurity as a major risk to the firm, according to Deloitte.
The professional services giant’s Cyber reporting survey is an analysis of all FTSE 100 firms’ annual reports, with a focus on online risk.
It revealed a worrying disconnect between awareness of the growing threat to their business from cyberspace and concrete actions to mitigate that threat.
In addition to the 5% with cyber or tech experts on the board, only 10% delivered cyber training to the board and 11% said they’d created a new role to deal with the issue.
What’s more, while over half said they had “contingency plans, crisis management or disaster recovery plans” in place to help mitigate cyber risk, just 58% said they tested them annually.
“Clearly, the more frequently and stringently mitigation plans are tested, the more resilient and responsive the company,” argued Deloitte head of cyber risk services, Phill Everson.
“Interestingly, very few reports identified employee action as one of their cybersecurity threats. Company employees are, knowingly or unintentionally, the most common cause of a cyber breach.”
Only a quarter of reports (28%) said staff cybersecurity training had been delivered, 22% referenced vulnerability or pen testing, and just 5% claimed to have insurance in place against cyber risk.
Unsurprisingly, unauthorized access (19%), hacking (13%) and malware (13%) were the most common types of threat disclosed in the reports, with business disruption (68%), reputational damage (58%) and data loss (45%) the most common impacts given.
John Madelin, CEO at cybersecurity firm RelianceACSN, argued that every board needs an expert in security who understands it and can “champion” it at that level.
“The recent spate of high-profile breaches highlights that businesses are on the back-foot and the trend is to throw technology at the problem, rather than get basic network protection right,” he added. “If more organizations focused on securing their critical assets, rather than battling to secure all we’d be seeing far less of these headlines in the news.”
Paul Briault, digital security, identity and API management director at CA Technologies, claimed organizations are still too reactive in their approach.
“If employees don’t know how to use the technology, then there is the risk that they will use it in the wrong way. Equally, if organizations rely too much only on reactive security mechanisms, the chances of missing signs of an attack are much greater,” he argued.
“By taking a proactive approach, having an ‘always ready’ mentality and maintaining a good level of security hygiene across the entire organization, businesses not only have a better chance of preventing attacks from occurring but are in a better position to respond to security incidents when they occur.”