Boards 'still lack security nous' says Thomson Reuter report
Boardrooms still lack security awareness, according to a new report - despite board-level cyber security awareness being a key plank in the Government's £640 million national cyber security programme.
Boardrooms still lack security awareness, according to a new report – despite board-level cyber security awareness being a key plank in the Government's £640 million national cyber security programme.
Thomson Reuters' annual 'Board Governance' survey found issues around electronic communications within boardrooms, due to insufficient security processes. In particular, it says: “Over three-quarters of organisations utilise non-commercial, unsecure personal email accounts to distribute board materials and almost half of the organisations do not encrypt board communications.”
The survey of around 125 general counsel and company secretaries also found that 62 percent of the respondents had heard of situations where board members have left sensitive information in public places - a 12 percent increase on last year.
“Outdated board procedures, unsecure distribution channels and costly board materials are all contributing to increased security gaps,” the report says. “The survey results indicate a lot of security gaps and risk oversight by organisations.”
However, over three-quarters of respondents did say their board actively set a risk culture and cascade their risk policy to management - a significant increase from 57 percent in the comparable 2012 survey.
The boardroom lapses come despite an ongoing government campaign to raise cyber security awareness at the top of UK organisations.
As part of that, cyber security minister Chloe Smith announced almost a year ago: “We want boards, customers and investors to think about cyber security issues when they are making purchasing or investment decisions. We want the market to identify and reward good practice.
“To this end we will work with, amongst others, the Institute of Chartered Secretaries and Administrators, the Audit Committee Institute (Audit Chairs), the Association of General Counsel, Company Secretaries of the FTSE 100, and the International Corporate Governance Network to establish cyber security as a significant business risk requiring the attention of company boards.”
In July, Commons Home Affairs Select Committee chairman Keith Vaz MP even called cyber crime “a more serious threat than a nuclear attack".
Despite this, Mike Loginov, CEO of UK-based cyber security consultancy Ascot Barclay, told SC Magazine UK that he was not surprised boards still lack security awareness.
“We do a lot of cyber security awareness for executive teams, HR and IT teams, and across all three of those communities the level of awareness is still alarmingly low. There's a huge job to be done and government is aware of this and are ploughing millions into helping to raise the profile and the issues.”
One key problem, Loginov felt, is that cyber security is “still perceived as an IT problem and not a business issue”. He added: “If I was to put a scale on it we're probably at a level two on a 10-point scale in terms of the amount of work to do. Obviously certain organisations are pretty aware, but the bulk are not.”
Ramses Gallego, board director of ISACA, the global association of IT governance professionals, and a security strategist and evangelist with Dell Software, told SC that, “Companies in these challenging times have to breathe security at the top. If that tone is not at the top, we are doing something wrong. ”
But Gallego said that “awareness is always a challenge. It might be disappointing but we just have to keep spreading the word. I'm not surprised that there is still room for improvement.”
Chris Perry, managing director for risk at Thomson Reuters, commented on the report, saying, “Corporate governance is becoming increasingly complex due to demanding regulatory requirements and scrutiny on organisations' compliance. In this time of heightened risk, it is extremely important for companies to protect their organisation from reputational damage."