UK boardrooms are struggling to cope with cybersecurity risk, especially in the telecoms and utilities sectors, where exposure is dramatic. Overall, a lack of expertise and awareness continues to plague businesses in key sectors.
A new study from CGI reveals that a full 38% of C-suite executives in UK telecoms, utilities, financial services and retail sectors believe a cybersecurity breach at their organization is likely over the next 12 months—at an average total cost over a one-year period of £1.2 million. But too few of them have real cybersecurity expertise.
On average, almost 30% of UK boardrooms in key sectors of the economy (telecoms, utilities, finance and retail) still view cybersecurity as an IT issue. And, only 35% of boardroom executives believe their board has a high level of personal expertise in cybersecurity. While boards in these key sectors rely on externally sourced cyber expertise for 15% of their requirements on average, 68% confirmed they plan to increase reliance on external consultants over the next few years.
The report also found that just 23% of non-executive directors (NEDs) say they have cybersecurity expertise, suggesting the traditional role played by NEDs to offer ‘constructive challenge’ isn’t effective when it comes to managing cybersecurity risk.
Meanwhile, cybersecurity governance is immature across UK boardrooms, to say the least.
Recent high-profile attacks have encouraged almost 80% of UK boardrooms across the UK economy’s key sectors to increase cybersecurity scrutiny. However, it appears on the agenda of only 48% of these boards ‘every few months,’ with many covering it less than twice a year.
Across the sectors surveyed, companies told us they currently assign ultimate responsibility for cybersecurity to CEOs (38%) and CIOs (31%) in the vast majority of cases, with specialist CISOs being empowered at just a handful of firms (3%). Interestingly, CEOs are the preferred choice for B2B companies while CIOs are overwhelmingly responsible at B2C firms.
“UK boardrooms are struggling to get a handle on the cybersecurity issue,” said Andrew Rogoyski, head of cybersecurity for CGI in the UK. “Boards know it is a risk but are uncertain in their approach, often failing to prioritize spend[ing] on cybersecurity. Unless more is done to improve understanding and governance at the highest level we can expect to see more high profile breaches.”
In terms of who’s most at risk, econometric modeling of the anticipated severity of an attack and the likelihood of an attack revealed that the telecoms sector is most at risk, closely followed by utilities. The model uses a combination of perceptions of the nature of sensitive information stored, the value of such data, the expenditure on defending against attacks and the overall awareness of risk to the company and sector to derive an objective risk rating.
Perhaps reflecting a loss of confidence following the TalkTalk breach, the telecoms sector sees itself lagging behind others with the lowest level of boardroom cybersecurity expertise. Just 29% of telecom boards are viewed as having a high degree of expertise, while firms in this sector hold sensitive data with an average estimated value to the company of over £42 million.
Relative to other key sectors of the economy examined, telecoms respondents were also the least confident about the risk of attack this year; with 52% believing their company was likely to experience a significant breach in the next 12 months.
Perhaps in response, 76% of boards plan in this sector to increase their use of external cybersecurity expertise. On average, the sector plans to increase cybersecurity investment by boosting technology and personnel spend by 12% this year, compared to 7% in sectors such as retail and insurance that perceive cyber risk to be less urgent.
The utilities industry is also at relatively high-risk, but boards discussing cybersecurity least often—in 40% of utilities firms the issue makes the boardroom agenda just twice each year.
Companies in the sector hold sensitive data estimated at over £50 million on average, but were found to be significantly behind other sectors in terms of having robust plans in place to handle a cyber event, with just one in five respondents confirming their firm’s cyber-crisis management plan is well developed.
“This is surprising given that utilities firms have high resilience with good business continuity planning, perhaps showing a lack of maturity in the treatment of cybersecurity as a major business risk,” the report noted.
Utilities firms do plan to increase cybersecurity investment by 14%, the second highest increase after banking, and over 70% of utilities boards plan to look to external consultants to support their plans over the next few years.
“Encouragingly, our research shows that boards do now appear to be taking cybersecurity more seriously with planned increases in scrutiny, investment and external advice,” said Rogoyski. “Based on analysis it is clear that the telecoms and utilities industries in particular must accelerate these efforts, which is consistent with recent UK, US and European government action to improve the protection of critical national infrastructure.”
Photo © Rawpixel.com