The Government's long-running campaign to get board directors to take cyber security seriously is still struggling to bear fruit - as a damning survey reveals that the directors of 86 percent of Britain's biggest companies still don't consider the cyber threat in their decision making.
In response, the Government is promising to launch a ‘kitemark' standard to drive the adoption of good cyber practices in business. The standard, developed with industry, will be unveiled early next year as part of the Government's £860 million National Cyber Security Programme.
The new survey – conducted by the Department for Business, Innovation & Skills (BIS) with MI5 and GCHQ - questioned the directors responsible for audit at the FTSE 350 and found only 14 percent regularly consider cyber threats, with a significant number receiving no intelligence at all about cyber criminals.
The ‘Cyber Governance Health Check' finds that for almost three-quarters of respondents, cyber risks do not feature regularly on their board updates. Only 17 percent feel their boards have clearly set and understood the appetite for cyber risk – and half fear they are barely qualified or only possess the right skills to some extent to manage risk in the digital age.
However, 62 percent of companies insist their board members are taking the cyber risk very seriously.
Science Minister David Willetts said: "The cyber crime threat facing UK companies is increasing. Many are already taking this extremely seriously, but more still needs to be done. We are working with businesses to encourage them to make cyber security a board-level responsibility.”
Mark Raeburn, CEO of independent security consultancy Context Information Security, warned the study shows many board directors are still suffering from “false confidence”.
He told SCMagazineUK.com: “The prime challenge is that at the executive level there is still an assumption of security and it is common for them to assume that the company is secure. The reality is that if faced by a determined threat actor, there should be no false confidence in the organisation's security.”
Richard Horne, cyber security partner at PricewaterhouseCoopers (PwC), agreed, telling SCMagazineUK.com: “Whilst it is encouraging to see that most of the FTSE 350 companies acknowledge the cyber security risk to their enterprises, it appears that in many companies more needs to be done to drive true management of that risk.
“Given the dynamic nature of the risk, boards need to be reviewing threats and vulnerabilities on a regular basis. They also need to develop the skills and capability to understand how the risk could impact their organisation and what strategic response is required.”
The survey was conducted via the UK's six top audit firms, including PwC and KPMG.
Malcolm Marshall, head of information protection and business resilience at KPMG, said it had successfully moved cyber security up the boardroom agenda, adding: “We found a wide range of board-level views, with some senior executives seeing cyber security as boring, some see it as sexy, others seeing it as over-hyped and still more as a necessary evil. The one consistency is that they are struggling to find the right balance between managing risk and making investments in a world where the threats constantly change.”
PwC's Richard Horne told SCMagazineUK.com it is encouraging that a number of boards now have risk reporting and cyber security as a risk category. But he added: “They now need to embed those approaches, to get a feel for how this risk is being managed across the organisation. At the moment this is less formalised, less mature, maybe in some companies a bit ad hoc.”
Horne said the required mature risk management approach entails: “Having a good understanding at the board of what the issues are, having the regular intelligence around the risk, having the regular metrics being reported to you, being able to apply those metrics to the decision-making process. It's in all those areas that companies need more maturing.”
Speaking about the forthcoming kitemark, David Willetts said: “The cyber standard will promote excellence in tackling cyber risks, help businesses better understand how to protect themselves, and ultimately increase the nation's collective cyber security.”