Far too often the approach has been reactionary, rather than proactive. In other words - ‘Now we’ve suffered a hit, we will say sorry and do something about it’.
This sentiment seems to ring true with the findings in the government’s latest Cyber Governance Health Check report, which finds that whilst most FTSE 350 companies have a cyber security strategy in place, less than half (46%) of boards of funding it.
The other findings continue on this theme - whilst there are top level ideas and board-level awareness is in place, the application of these is less evident. For example, whilst most businesses have incident response plans in place (95%), only 57% test their crisis incident response plans on a regular basis.
And while the number of boards that perceive the risk of cyber threats as high or very high is increasing (72% this year, versus 54% last year), board level understanding of business-critical information, data assets and systems is not increasing at the same rate. A clear understanding of these issues on the board is currently at 54%, compared to 43% last year.
And although the increase is there, only 12% of businesses rate their understanding 5 out of 5, indicating the majority of businesses feel that board understanding could be improved.
Commenting on the government’s findings, Digital Minister Margot James said:
“The UK is home to world leading businesses but the threat of cyber attacks is never far away. We know that companies are well aware of the risks, but more needs to be done by boards to make sure that they don’t fall victim to a cyber attack.
“This report shows that we still have a long way to go but I am also encouraged to see that some improvements are being made. Cyber security should never be an add-on for businesses and I would urge all executives to work with the National Cyber Security Centre and take up the government’s advice and training that’s available.”
The government has made a number of announcements in recent months regarding investments in cyber security infrastructure, research and skills. Most notably, in 2016, Britain’s new National Cyber Security Strategy was launched with £1.9 billion of funding, which included the launch of a National Cyber Security Centre.
Further education needed
The report highlights that only a minority of businesses (16%) have a comprehensive understanding of the impact of loss or disruption associated with cyber threats - for example, customers, share price and reputation. This indicates that most businesses feel the board understanding of impacts could be greatly improved.
Those that do have a comprehensive understanding of the impact of cyber threats tend to have more extensive cyber governance practices in place - indicating that once the board is educated, action is taken.
In addition, in businesses that have a Chief Information Security Officer reporting directly to the board (only 35%), the board is more likely to rate the information they receive as comprehensive.
However, the introduction of GDPR has contributed to a greater level of board engagement in cyber security issues. Some 77% of businesses indicated that board discussion and management of cyber security had increased since GDPR, with more than half of these businesses introducing increased security measures as a result.
Finally, the report notes that the supply chain is increasingly becoming a target for sober attacks. However, recognition on the board that cyber risks exist in the supply chain appears to be minimal.
Respondents to the government’s Health Check note that less than a quarter of businesses (23%) recognise the cyber risks associated with businesses that are not directly contract by the business, which could leave them vulnerable to threats.
What can be done?
On areas for improvement, the report states that businesses should take the following steps:
- Increase the skills and knowledge of existing board members so they better understand their business-critical assets and consider recruiting non-executive directors with a technology background to boost cyber-related skills
- Consider nominating an individual member of the board to take lead responsibility for cyber security risk management
- Use the National Cyber Security Centre (NCSC) toolkit which covers the fundamental aspects of cyber security
- Ensure that the CISO, or an appropriate staff member, is able to clearly communicate information about cyber security to the board in a way that is aligned to business objectives
- Test cyber incident plans regularly to check they are fit for purpose and consider subjecting them to an external audit
- Take the NCSC illustrative real-world examples of supply chain attacks into consideration to improve awareness and understanding of the risks