FTSE 100 failing the cyber test

FTSE 100 failing the cyber test

They are large organisations and all of them face considerable challenges in keeping their data and IT systems secure. Yet only a tiny minority of FTSE 100 companies have a Board member with specialist cyber security experience.

Research from Deloitte this week has shown that just 5% of the FTSE 100 currently employ a director responsible for cyber risk. Just 5%!

Cyber security is now widely accepted as having strategic importance. Data breaches can adversely affect reputation (including the reputations of Board members) as well as damaging an organisation’s competitive positioning. And there is a big moral dimension too: allowing personal data to leak out can cause individual consumers enormous difficulties, from cloned credit cards and frauds to wholesale identity theft.

But all too often cyber security seems to be treated as a technical issue for overworked IT departments and cyber breaches are considered simply a cost of doing business. Perhaps that will change with the considerable fines available to regulators under the new European privacy regulation, the  GDPR,  which will come into force from May 2018.

In the meantime though Boards are all too often simply brushing the issue aside.

So what needs to change? It’s simple really. Boards need an individual who can interpret the risks their organisation faces from cyber and communicate the steps that need to be taken to senior management.

But this individual can’t be just anyone. As Jason Hart, CTO for Data Protection at Gemalto says:

“It shouldn’t just be anyone that takes up this role though, they need to have the right set of skills and qualifications. Like accountants must have certain criteria to be able to work, so must security professionals.” Mr Hart proposes that, for this to be taken seriously, an industry standard should be created so that companies be sure they are appointing the right people. Security is, or should be, a Board level issue and the person responsible needs to be appropriately qualified and experienced. “The person responsible for this really does hold the key to the business in their hands, so we need to be sure they are capable of doing so.”

That's certainly true. And the problem goes deeper than qualifications. The difficulty is that many senior executives simply don't recognise the value of cyber security and cyber resilience. This is illustrated by recent research from the Ponemon Institute (registration required) that indicates that under half (45%) of UK organisation leaders recognise that revenues can be affected by cyber resilience and only slightly more (46%) recognize the effect on reputation. With this degree of scepticism at Board level is it surprising that cyber security fails to get the attention it deserves?


Copyright Lyonsdown Limited 2021

Top Articles

Exposure of financial services to phishing rose by 125% in 2020

There was a 125% surge in the number of phishing attacks that financial services and insurance organisations experienced between 2019 and 2020.

Millions of Brits using old and unsecured routers, finds Which? ISPs differ

Which? has warned that millions of Brits are using old Wi-Fi routers, vulnerabilities in which could be exploited by hackers.

Scripps Health suffers a ransomware attack, suspends critical operations

Scripps Health recently suffered a ransomware attack that forced it to suspend user access to its online portal and applications and divert patient care operations.

Related Articles