This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Boards 'still lack security nous' says Thomson Reuter report

Share this article:

Boardrooms still lack security awareness, according to a new report - despite board-level cyber security awareness being a key plank in the Government's £640 million national cyber security programme.

Boardrooms still lack security awareness, according to a new report – despite board-level cyber security awareness being a key plank in the Government's £640 million national cyber security programme.

Thomson Reuters' annual 'Board Governance' survey found issues around electronic communications within boardrooms, due to insufficient security processes. In particular, it says: “Over three-quarters of organisations utilise non-commercial, unsecure personal email accounts to distribute board materials and almost half of the organisations do not encrypt board communications.”

The survey of around 125 general counsel and company secretaries also found that 62 percent of the respondents had heard of situations where board members have left sensitive information in public places - a 12 percent increase on last year.

“Outdated board procedures, unsecure distribution channels and costly board materials are all contributing to increased security gaps,” the report says. “The survey results indicate a lot of security gaps and risk oversight by organisations.”

However, over three-quarters of respondents did say their board actively set a risk culture and cascade their risk policy to management - a significant increase from 57 percent in the comparable 2012 survey.

The boardroom lapses come despite an ongoing government campaign to raise cyber security awareness at the top of UK organisations.

As part of that, cyber security minister Chloe Smith announced almost a year ago: “We want boards, customers and investors to think about cyber security issues when they are making purchasing or investment decisions. We want the market to identify and reward good practice.

“To this end we will work with, amongst others, the Institute of Chartered Secretaries and Administrators, the Audit Committee Institute (Audit Chairs), the Association of General Counsel, Company Secretaries of the FTSE 100, and the International Corporate Governance Network to establish cyber security as a significant business risk requiring the attention of company boards.”

In July, Commons Home Affairs Select Committee chairman Keith Vaz MP even called cyber crime “a more serious threat than a nuclear attack".

Despite this, Mike Loginov, CEO of UK-based cyber security consultancy Ascot Barclay, told SC Magazine UK that he was not surprised boards still lack security awareness.

“We do a lot of cyber security awareness for executive teams, HR and IT teams, and across all three of those communities the level of awareness is still alarmingly low. There's a huge job to be done and government is aware of this and are ploughing millions into helping to raise the profile and the issues.”

One key problem, Loginov felt, is that cyber security is “still perceived as an IT problem and not a business issue”. He added: “If I was to put a scale on it we're probably at a level two on a 10-point scale in terms of the amount of work to do. Obviously certain organisations are pretty aware, but the bulk are not.”

Ramses Gallego, board director of ISACA, the global association of IT governance professionals, and a security strategist and evangelist with Dell Software, told SC that, “Companies in these challenging times have to breathe security at the top. If that tone is not at the top, we are doing something wrong. ”

But Gallego said that “awareness is always a challenge. It might be disappointing but we just have to keep spreading the word. I'm not surprised that there is still room for improvement.”

Chris Perry, managing director for risk at Thomson Reuters, commented on the report, saying, “Corporate governance is becoming increasingly complex due to demanding regulatory requirements and scrutiny on organisations' compliance. In this time of heightened risk, it is extremely important for companies to protect their organisation from reputational damage."

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

WorldPay hacker sentenced to 11 years for role in £6 million scheme

WorldPay hacker sentenced to 11 years for role ...

An Estonian man, who helped hack payment processor RBS WorldPay in 2008, has now been sentenced to 11 years in prison for his involvement in the £5.9 (US$ 9.4 million) ...

'Sophisticated' Chinese hackers launched attacks against 43,000 computer systems

'Sophisticated' Chinese hackers launched attacks against 43,000 computer ...

A new report reveals that a Chinese cyber-espionage group is closely affiliated with government and carried out attacks against the likes of Fortune 500 companies and government agencies.

Hackers smuggle out stolen data disguised as videos

Hackers smuggle out stolen data disguised as videos

Around a dozen organisations, including at least one financial sector company, have been hit by a new form of hacking where attackers hide stolen corporate data inside video files that ...