Less than a third (105 companies) of FTSE 350 company boards responded to the UK Government's voluntary Cyber Governance Health Check Report 2017 – which suggests that the of figure of 68 percent of respondents receiving no training to deal with a cyber-incident is actually far worse in industry as a whole as those responding presumably rated the issue a higher priority.
Other key findings from those that did choose to respond is that even among these companies, ten percent did not have a plan in place to respond to a cyber-incident, and only six percent said that their business was completely prepared to meet the requirements of GDPR.
On a more positive note, more than half (57 percent in 2017 compared to 49 percent in 2015/16) said that they had a clear understanding of the potential impacts resulting from a loss of, or disruption to key information or data assets. Similarly, 54 percent (also up from 49 percent in 2015/16) viewed cybe- risk as a top/ group risk compared with all the risks faced by their company. And 31 percent of boards reported receiving comprehensive and informative management information on cyber-risk.
So there is clearly increased and increasing awareness and understanding among industry leaders, but even here, among the self selecting group of the leading UK businesses, the situation is far from adequate, and it does raise concerns for what the rest of British industry may be like.
Paul Taylor, UK head of Cyber Security at KPMG which conducted the research, said in a press statement: “While cyber-security has cemented itself onto the board's agenda, they often lack the training to deal with incidents. This is hugely important as knowing how to deal confidently with an incident in the heat of the moment can save time and money. The aftermath of a cyber-attack, without the appropriate training in managing the issue, can result in reputational damage, litigation and blunt competitive edge.”He went on to note that with GDPR less than a year away, 46 percent of boards still do not review and challenge reports on the security of their customer's data – even though this figure has decreased by 15 percent from last year. Yet, 71 percent of businesses describe themselves as somewhat prepared to meet the requirements of the GDPR, but only six percent say they are completely prepared. When asked which GDPR requirements were causing businesses the greatest concern in terms of meeting compliance, 45 percent of respondents cited an individual's rights to personal data deletion."
Commenting on the lack of training, Marco Cova, senior security researcher at Lastline emailed SC to say: “While this is a somewhat worrying revelation, it's definitely not surprising. Board members with diverse job functions within an organisation have struggled in the past to understand how serious a cyber-incident can be. While large-scale incidents like Not Petya may have gone some way towards remedying this, there is still something of a disconnect between the security team, the CISO, and the board. This is a problem which requires a top down solution, with the board and the CEO engaging more with how to respond appropriately to cyber-incidents in order to set a good example for all employees below them in the business.”
Rob Wilkinson, corporate security specialist at Smoothwall, concurs, adding, “.. the high-profile directors without any basic training on how to deal with cyber-attacks could send a company's stock falling in the future. With no immediate threat of another financial crisis, the main threat to SMEs and large businesses now presents itself in the form of a cyber-attack that could cripple databases, steal sensitive information and extract money. Companies ought to be aware of how to deal with such an incident should it occur, putting in the necessary training from high-level director right down to intern – this is important when you consider that the majority of cyber incidents occur through human error. Although the report states that 54 percent of companies believe cyber risk is a ‘top' when compared to other risks within a company (an improvement on last year), this just doesn't feel like enough in 2017.”
Stuart Clarke, chief technology officer, cybersecurity, Nuix agreed but wanted to emphasise that training goes beyond the board, saying, “CEOs must understand that a rigorous employee awareness training programme for every employee helps reduce overall cyber-security risk. It helps people understand when they are being asked to bend the rules – or when other users are compromising critical information – as well as how and to whom they should report this behaviour. It also helps protect the organisation's information ‘crown jewels' – including credit card information, personal details and intellectual property – and control the number of users who can access this important data.”
This approach was expanded upon by Oz Alashe, CEO of CybSafe who says: “Because of what is at stake, security training needs to be an item in the diaries of both staff and company bosses. Business leaders are just as vulnerable as staff.
“Almost all cyber-attacks nowadays can be attributed, in one way or another, to our innate human psychology. Motivators like excitement, curiosity, doubt, and boredom can all be leveraged to accomplish a successful phishing attack, and in this sense, company leaders are just as vulnerable as their staff. In spite of the clear role that human psychology plays in the cyber security landscape, business has strangely yet to properly confront the human element –the lack of knowledge – which drives cyber-crime.”
Wilkinson also supported this approach saying: “Security is an issue that must be taken seriously by each and every company; whether you're an SME as part of a wider supply chain, a large telecoms company or even an electricity firm, no company is immune to a hack or breach. In this vein, ensuring a strong security culture is instilled throughout the workforce is crucial to making sure staff are constantly vigilant and aware of the threats. If the top brass don't pay attention to these threats, it's not going to set a good example for the rest of the business' employees. Complying with regulation and building a layered security defence which spans encryption, firewalls, web filtering and ongoing threat monitoring as well as a proactive stance, is the only way – coupled with solid cyber training for each employee – to mitigate the risks involved should an incident occur.”
John Smith, principal solutions architect, Veracode Smith then took this out to suppliers, saying, “Organisations need to introduce governance and controls to ensure that best practice application security is rolled out across the entire company and its associated partners. This is something that the manufacturing industry, for example, has been particularly strong at – as existing controls have helped them to enforce the mandate anywhere they have an application - both in their own company and with their suppliers. And this kind of security process need not aggravate suppliers or partners, indeed some forward-thinking companies have actually paid for the necessary appsec solutions to help their partners and suppliers become compliant with their company policies.”
Alashe then brought it back to people, saying that continuous engagement and education on the risks of cyber-attacks is vital in ensuring the C-suite's complete buy-in to a data security strategy and he recommends that businesses also need to announce the death of IT training manuals when it comes to cyber-security. “They must move away from IT security awareness training from being a box ticking exercise to a more immersive experience that can actually make a difference in an employee's behaviour. For example, repeated regular input has been proven to be more effective than large dumps of information, so an engaging weekly training exercise that takes 10 minutes to complete will be more effective than a cyber-awareness course lasting half a day, completed every six months. This behavioural science approach to cyber-security could prove vital in ensuring lasting and productive engagement on data security issues from the entire C-suite.”
Governance and risk are areas the board is familiar with, and Smith, points out that the findings highlight the serious concern among executive board members for the increase in supplier liability when data breaches occur. Smith notes, “With Gartner reporting that over 42 percent of CEOs have begun digital transformation in their business, the consumption of software and applications has risen dramatically – underpinning an increasing number of business operations. However, this introduces increased risk into the organisation, with software vulnerabilities constantly targeted by cyber-criminals to insert malware or leak data,” including via suppliers.”
While training may be lacking, cyber-awareness has improved and Clarke noted, “The reality is that cyber-security is now impossible to ignore. We're seeing large-scale attacks increase in frequency, and the worst thing is- many are often preventable. In the case of attacks such as WannaCry and Petya, both attacks took advantage of the same vulnerabilities - a technical vulnerability that had already been patched and the human vulnerability that is of critical importance. If organisations had practiced good cyber-hygiene and developed a cyber aware organisation, both could have easily been prevented.
Smith also recommends, that with GDPR on the doorstep, businesses in all industries need to, “... look at how they can ensure that the software and applications that their suppliers are using meets their own security standards. Only this way can they ensure that their suppliers and partners aren't risking their compliance, and perhaps more importantly their security.”
On a more fundamental level, Laurance Dine, managing principal, investigative response, Verizon concludes “Today's government report holds no real surprises. Whilst we're seeing a growing awareness of the risk that cybercrime presents, the majority of organisations are still underprepared to deal with its impact. A lot of this comes down to a lack of basic cyber-hygiene, such as not having basic security controls and processes in place, or failing to train employees – or in this case business leaders – on how to deal with the threat.
“Ultimately, we'll continue to experience the same old problems until organisations start to take cyber-security more seriously; treating it as a business-level concern, rather than an IT problem. The fact that less than a third of boards receive comprehensive cyber risk information clearly shows that this just isn't the case today.”