Less than a fifth (16 percent) of FTSE 350 boards have a comprehensive understanding of the impact of loss or disruption associated with cyber-threats, according to a key annual report from the UK Government.
The Cyber Governance Health Check found other holes too, with the majority of businesses (95 percent) having a cyber-security incident response plan, but with only around half (57 percent) actually testing them on a regular basis. On the brighter side, almost all of the FTSE 350 (96 percent) have a cyber-security strategy in place - apparently leaving four per cent of listed UK companies with no cyber-strategy at all.
Gavin Cartwright, associate partner, cyber-security at EY said: "With only 1 in 5 FTSE 350 companies undergoing a cyber-simulation last year, the report highlights that cyber-security is still not fully embedded in the culture of many of these companies. In addition to having cyber-security strategies in place, organisations and their boards need to continually build and invest in their in-house capabilities, practice responses and train and evaluate cyber-first responders across their business and supply chain."
Meanwhile, overall awareness of the threat posed by cyber-attacks has increased, with three quarters (72 percent) of respondents acknowledging that the risk of cyber-threats is high, which is a big improvement of only just over half (54 percent) in 2017.
Margot James, digital minister, said: "We know that companies are well aware of the risks, but more needs to be done by boards to make sure that they don’t fall victim to a cyber-attack. This report shows that we still have a long way to go but I am also encouraged to see that some improvements are being made."
Another positive has been the impact of GDPR, which has increased the attention that boards are giving cyber-threats. More than three quarters (77 percent) of those responding to the 2018 health check said that board discussion and management of cyber-security had increased since GDPR, and more than half of those businesses had also put in place increased security measures.
Kevin Williams of the KPMG UK cyber-security practice, said: "Cyber-security is a business issue, not an IT issue. Some of the more successful companies ensure regular reporting on cyber-risks directly to the board, creating clear line of sight between the business and the risk. They also ensure regular testing of their capabilities to respond to information security incidents.
"There continues to be a need for a more comprehensive understanding of the impact of loss or disruption associated with cyber threats to an organisation. The investment needs to be not only financial but in education for all and ensuring the right resources are in place to innovate, take advantage of new technological advances, whilst assessing the risks and responding accordingly."
The 2018 FTSE 350 Cyber Governance Health Check is available here, while the National Cyber Security Centre’s Board Toolkit (designed to help boards understand and quantify their cyber-risk profile) is available here .