The scale of and the issues raised by the cyber attack on TalkTalk last year led to the launch of the UK government’s Cyber Governance Health Check which was intended to help understand and improve how FTSE 350 companies are managing cyber security risks.
The latest Cyber Governance Health Check carried out by KPMG shows that even though two thirds of those FTSE companies have suffered a cyber attack in the last year, 54% of boardrooms only hear about cyber security twice a year, or when there is a security incident.
The whole subject of cyber security was something that until recently was not thought to be important enough to be discussed in the boardroom. In 2013 for example nearly half of boardrooms thought the subject not worthy of discussions whereas that figure has thankfully fallen to 15% this year.
Too much of a heavy and inflexible focus on governance and compliance, as well as a view that cyber security was the job of the IT department are thought to be contributing factors to lack of awareness in the boardroom and vulnerability to fast evolving cyber security threats.
Higher Priority But Still Underprepared
Recent research by Ipsos MORI in partnership with the Institute for Criminal Justice Studies at the University of Portsmouth has confirmed that the issue cyber security has now been given much higher priority by businesses, but those businesses are still underprepared and are lacking the knowledge of how to improve their security.
The research showed for example that even though 69% of businesses say cyber security is either a very high (33%) or fairly high (37%) priority for their organisation’s senior management, many may not fully understand how their organisation is at risk and what action to take.
Just half *(51%) of all businesses (*the figure is higher among medium and large firms) have tried to identify the cyber security risks faced by their organisation e.g. using health checks, risk assessments or audits, but only 29% have formal written cyber security policies, and only 10% have a formal incident management plan.
The same research showed that the most common cyber security breaches over the last year (68%) have been caused by viruses /spyware / malware. Most businesses however would be likely to acknowledge that human error is a big factor in triggering virus /spyware / malware attacks.
What Does This Mean For Your Business?
Although the latest research shows that there is still a problem at boardroom level with the issue of cyber security, things have improved over the last 2 years.
It is important for UK businesses especially at board level to take steps to understand their risk profile, understand where and what their information / data assets are, and to take steps now to protect those assets and improve cyber resilience.
This could involve improving awareness among and giving training to all staff, making sure that at least all essential areas are covered e.g. using the government backed Cyber Essentials.