Britain’s top businesses and charities urgently need to do more when it comes to protecting themselves from online threats. According to new Government research and the latest ‘cyber health check’, one-in-ten FTSE 350 companies stated that they’re operating without a response plan being in place for a cyber incident, while less than a third of Boards of Directors (31% of them, in fact) receive comprehensive cyber risk information.
Matthew Hancock, Minister of State for Digital, explained: “We have world-leading businesses and a thriving charity sector, but recent cyber attacks have shown the devastating effects of not making sure that our approach to cyber security is right. The new reports that have just been issued show that we have a long way to go until all of our organisations are adopting Best Practice. I would strongly urge all senior executives to work with the National Cyber Security Centre and take up the Government’s advice and training. Charities must do better to protect the sensitive data they hold. I encourage them to access the tailored programme of support we’re developing alongside the Charity Commission and the National Cyber Security Centre.”
There has been progress in some areas when compared with last year’s ‘cyber health check’, with more than half of company Boards (53% as opposed to 33% in the last survey) now setting out their approach to cyber risks and more than half of businesses (57%, up from 49%) having a clear understanding of the impact of a cyber attack .
The Government is fully committed to defending against cyber threats. A five-year National Cyber Security Strategy was announced in November last year, supported by £1.9 billion of transformational investment. The defence strategy includes opening the National Cyber Security Centre and offering free online advice as well as training schemes to help businesses protect themselves.
The 10 Steps to Cyber Security guide sets out a comprehensive framework to help company Boards manage cyber risks, from making sure the basics are right through to protecting their most critical assets, while the Government’s Cyber Essentials Scheme outlines the technical basics all companies should have in place.
The Government has also announced proposals on how to help the nation’s essential industries be more resilient to cyber threats through the NIS Directive.
Alex Dewdney, the National Cyber Security Centre’s director for engagement, said: “The NCSC is committed to making the UK the safest place in the world in which to live and transact business online. We know that we cannot do this alone. Everyone has a part to play. That’s why we’re committed to providing organisations with expert advice through our website and direct engagement. We also urge organisations to follow the guidance in the Government’s Cyber Essentials Scheme.”
The results of separate research looking at the cyber security of charities has also been published. It finds that charities are just as susceptible to cyber attacks as businesses, with many members of staff not being well-informed about the topic and awareness and knowledge varying considerably across different charities. Other findings show that those in charge of cyber security, and especially those in smaller charities, are often not proactively seeking information and relying on outsourced IT providers to deal with threats.
Where charities recognise the importance of cyber security, this is often due to holding personal data on donors or service users, or having trustees and staff in place with private sector experience of the issue. Charities also recognise those responsible for cyber security need new skills and that general awareness among staff must be raised.
Helen Stephenson CBE, CEO at the Charity Commission for England and Wales, said: “Charities have lots of competing priorities, but the potential damage caused by a cyber attack is far too serious to ignore. It can result in the loss of funds or sensitive data, affect a charity’s ability to help those in need and damage its precious reputation. Charities need to do more to educate their staff about the cyber threat and ensure they dedicate enough time and resources to improving cyber security. We want to make sure charities are equipped to do this and encourage them to use the advice on our Charities Against Fraud website. We also continue to work closely with the Department for Digital, Culture, Media and Sport in order to help charities protect themselves online.”
FTSE 350 Cyber Governance Health Check
The FTSE 350 Cyber Governance Health Check is the Government’s annual report providing insight into how the UK’s biggest 350 companies deal with cyber security. It’s carried out in collaboration with the audit community, including Deloitte, EY, KPMG and PwC.
The Government will soon be introducing its new Data Protection Bill to Parliament. With this coming into effect next May, and implementing the European Union’s (EU) General Data Protection Regulation (GDPR), for the first time this report has included questions about data protection.
The new data protection law will strengthen the rights of individuals and provide them with more control over how their personal data is being used.
The report finds that:
*awareness of the EU GDPR is good, with almost all firms (97%) aware of the new regulation
*almost three-quarters (71%) of firms said they were somewhat prepared to meet the GDPR requirements, with only 6% being fully prepared
*just 13% said the GDPR was regularly considered by their Board
*45% of Boards say they’re most concerned with meeting GDPR requirements relating to an individual’s right to personal data deletion
Ilia Kolochenko, CEO of web security company High-Tech Bridge, told Risk UK: “I think we’re moving in the wrong direction by shifting the blame and responsibility for cyber crime to C-level management in a smooth, but obvious manner. Top management should unquestionably be involved in cyber security strategy, data protection and privacy, but we tend to shift the entire burden on to them, forgetting that C-level managers have much bigger and vital problems to take care of, from vigorous competition with China through to the disruption of usual business processes with emerging technologies such as Artificial Intelligence or blockchain. Cyber security leaders should be responsible for securing and preparing the Board and other C-level executives to resist cyber attacks without disturbing them.”
Kolochenko added: “British law enforcement is undertaking laudable and exemplary efforts to protect national businesses, but undoubtedly needs more financial support from the Government to train new experts both in offensive and defensive areas. Currently, the scarce resources available are largely insufficient to defend citizens and businesses. Cyber security is complementary for any business or organisation. If a business isn’t profitable enough then the Chief Information Security Officer will not even receive a salary.”
Zubin Randeria, cyber security leader at PwC, commented: “The report’s findings echo those of the PwC CEO Survey, which found that three-quarters of UK CEOs consider cyber risks to be a significant threat to their business, while 97% are addressing cyber incidents. It’s positive that cyber security is now front of mind for Boards and business leaders, but concerning that many are still not equipping themselves with the right knowledge to respond when the worst does happen. Cyber security attacks are now an everyday reality and it’s the responsibility of business leaders to make sure they’re prepared.”
Randeria also stated: “The most successful leaders will be those who take an active involvement in cyber security governance and set the tone from the top. This isn’t an issue to be delegated to more technical teams. Investors, customers, the media and the general public all routinely scrutinise companies’ responses to cyber security incidents, as we’ve seen from the recent ransomware attacks. Companies that fail to prepare to respond to a breach also leave themselves exposed to a potentially damaging commercial and reputational backlash.”
EU GDPR guidance
The Information Commissioner’s Office (ICO) has produced guidance for organisations on implementing the EU GDPR, including a checklist for businesses on the actions they need to take. In addition, the ICO has organised a series of interactive workshops and webinars.
The ICO will also produce guidance for organisations about their responsibilities under the GDPR and individuals on their rights under the GDPR. The Department for Digital, Culture, Media and Sport (DCMS) will continue to work closely with the Information Commissioner’s Office during the transitional period.
The DCMS has commissioned the UK Cyber Security Sectoral Analysis Survey to provide statistics about the size and scale of – and the future opportunities for – the UK’s cyber security industry.