The government's FTSE 350 Cyber Governance Health Check Report for 2018 has found that an overwhelming 84% of company boards in the UK do not have a comprehensive understanding of the impact of loss or disruption associated with cyber threats and that a large number of FTSE 350 organisations are not testing their cyber security incident response plans regularly.
The report does highlight major improvements in steps taken by FTSE 350 companies to respond to a wide range of cyber threats and to avoid breaching data protection rules in light of the arrival of GDPR which led to an increase in board discussion and management of cyber security last year.
The report noted that as many as 96% of FTSE 350 companies have a cyber security strategy in place, that 95% of them now have cyber security incident response plans, and that awareness of the threat of cyber attacks among such companies increased from a mere 54% in 2017 to 72% in 2018.
However, even though such large companies across the UK have incident response plans in place, only 57% of such companies are testing them on a regular basis to measure their effectiveness. What's more worrying is that even though board discussion and management of cyber security had increased at 77% of companies since the arrival of GDPR, as many as 84% of FTSE 350 boards do not have a comprehensive understanding of the impact of loss or disruption associated with cyber threats.
"This report shows that we still have a long way to go but I am also encouraged to see that some improvements are being made. Cyber security should never be an add-on for businesses and I would urge all executives to work with the National Cyber Security Centre and take up the government’s advice and training that’s available," said Digital Minister Margot James.
NCSC asks FTSE 350 boards to take advantage of Board Toolkit
In October, the National Cyber Security Centre (NCSC) asked FTSE 350 boards to ask themselves five simple yet effective questions to accurately assess their cyber risk and the effectiveness of their response strategies. It said that these "five core questions" will not only help FTSE 350 boards understand initial risks and areas of improvement, but will also help them understand cyber risk in the same way they understand financial risk, or health and safety risk.
Following are the five questions that the NCSC asked company boards to ask themselves:
1. How do we defend our organisation against phishing attacks?
2. What do we do to control the use of our privileged IT accounts?
3. How do we ensure that our software and devices are up to date?
4. How do we ensure our partners and suppliers protect the information we share with them?
5. What authentication methods are used to control access to systems and data?
"Cyber security is now a mainstream business risk. So corporate leaders need to understand what threats are out there, and what the most effective ways are of managing the risks. But to have the plain English, business focussed discussions at board level, board members need to get a little bit technical. They need to understand cyber risk in the same way they understand financial risk, or health and safety risk," said Ciaran Martin, chief executive of the NCSC.
According to Martin, these five questions have been incorporated in NCSC's Board Toolkit that allows company boards to recognise and resolve gaps in their knowledge of cyber security. The government has also launched a new project called cyber resilience metrics which will be based on a set of risk-based principles to allow firms to measure and benchmark the extent to which they are managing their cyber risk profile effectively.
"Cyber security is a business issue, not an IT issue. Some of the more successful companies ensure regular reporting on cyber risks directly to the board, creating clear line of sight between the business and the risk. They also ensure regular testing of their capabilities to respond to information security incidents," said Kevin Williams from KPMG UK cyber security practice.
"The 2018 survey shows that we are moving in a positive direction, but there continues to be a need for a more comprehensive understanding of the impact of loss or disruption associated with cyber threats to an organisation. The investment needs to be not only financial but in education for all and ensuring the right resources are in place to innovate, take advantage of new technological advances, whilst assessing the risks and responding accordingly," he added.
Commenting on the findings of the government's FTSE 350 Cyber Governance Health Check Report, Adenike Cosgrove, cybersecurity strategist for EMEA at Proofpoint, said that it is clear that organisations aren’t confident that their GDPR compliance strategy is fit for purpose, and a worrying number of companies have yet to take initial steps to fix this business issue. Having complete visibility into highly regulated data, the systems that process that data and identifying who within your business has access to that data is the bare minimum.
"With today’s threats targeting the human factor and phishing representing 93% of breaches according to Verizon’s latest DBIR report, it is critical for companies to build a people-centric security and compliance strategy. The Google fine should have been enough to convince any board that regulations around data security are not to be taken lightly and should be committing resources to become GDPR compliant if their organisation isn’t today," he added.