A proposed cyber governance health check could face a first hurdle with a number of companies not signing up to take part.
Speaking to SC Magazine, Sarb Sembhi, chair of the ISACA European GRA sub committee, said that he understood that those behind the organisation of the health check had struggled to attract 100 organisations to take part.
He said: “It is requires time to do a health check. If they can only attract 100 companies across the UK to do this, then that is not much at all, but I understand that they have not got enough businesses to do the health check.
“Part of the problem is that this is targeted at small to medium enterprises (SMEs) and they do not understand the need to do a health check. Another part of the problem is it may only be for a limited period and there is a large amount of work that security teams will need to put in too.
Nigel Stanley, CEO of Incoming Thought, said that some businesses will see the benefit of this, but the challenge will be beyond the health check as some businesses will not know their security posture and will not want to know, and bury their heads in the sand.
He said: “A vertical will say ‘how does this help the business' and they will want to know how to measure the success of it, while some will not want to know.”
Stanley went on to say that as few things in life are free, there may be a consideration that there is a hidden agenda behind this. “The bigger issue is considering the business benefit of going through this process,” he said.
“This could be seen as a regulator with a big stick, but what if a government investigation after the fact finds that your security posture is very poor?”
A Cabinet Office spokesperson told SC Magazine that the project was just getting off the ground and that letters had been sent out this week to the FTSE 350 businesses, so to question its effectiveness was premature.
They said: “It will look at areas of raising awareness and technical diagnostics, and about the basics. I think it is a bit premature to assess the effectiveness at this early stage as this is a part of a wider range of awareness campaigns for cyber security.
“It is part of the project to encourage awareness on cyber security as businesses have reputations and share holders to protect. The health check is going to be about the security of that group of companies, there will be no tagging or badging of companies, so to criticise it is a bit pre-emptive.
“GCHQ and government agencies are behind this and have written to the FTSE 350 to get them to sign up to this; but if we don't get them all but get 100 or 250, then that will be good.
“This is an opportunity for us to flag that the threat is growing with cyber security, that the scale is increasing and that the complexity is also. Companies need to sit up and take notice of instances and the heightened risk.”
The intention of the Government-backed cyber governance health check was announced by the FT this week. It will involve the chairman of a company and the chair of the company's audit committee completing a questionnaire that will assess how well the company handles issues such as protecting intellectual property and safeguarding customer data.
The second stage of the health check will be detailed discussion with the company's audit firm about areas in which a company may be particularly vulnerable. The results from this will be aggregated on an anonymous basis, to enable companies to see how they rate compared with peers.
Research released yesterday by KPMG showed that on average, 41 usernames, 44 email addresses and five sensitive internal file locations were available for each company in the FTSE 350. KPMG said it is supporting the initiative by helping FTSE 350 companies identify potential flaws in their cyber security procedures.
Malcolm Marshall, global head of information protection and resilience at KPMG, said: “By building an understanding of UK plc's cyber defences, organisations will be in a better position to make the decisions and take the actions necessary to prevent data theft and ensure Britain is not just open, but safe, for business.”