FTSE 350 companies feeling “unprepared” to manage cyber risk in an increasingly digital world

FTSE 350 boards are growing more confident in their investments to mitigate cyber risks, but they are also aware of the huge scale of the challenges ahead

FTSE 350 boards are growing more confident in their investments to mitigate cyber risks, but they are also aware of the huge scale of the challenges ahead

According to the results of the FTSE 350 Cyber Governance Health CheckFTSE 350 Boards of Directors are growing more confident in their investments to mitigate cyber risks but they’re also aware of the huge scale of the challenges ahead. Just 1% of those companies surveyed feel their Board is fully informed and skilled enough to manage innovation and risk in the digital world.

For the second year, PwC has helped FTSE 350 companies complete the Health Check which is run by MI5, GCHQ and the Department for Business, Innovation and Skills. The process assesses how well FTSE 350 Boards of Directors and Audit Committees understand and oversee risk management measures and subsequently address their cyber security threats.

Cyber security is clearly on Boardroom agendas, with the majority of companies (88% of those surveyed, in fact) having a cyber risk category within their strategic risk register.

However, with an increasing number of cyber breaches occurring in 2014, only 29% of the 108 companies that completed the Cyber Governance Health Check believe cyber is a ‘top risk’, suggesting that companies need a more mature approach to cyber risk management.

While most (92%) of respondents say their Boards have a clear or acceptable understanding of the value of key information and data assets, one-in-three state the risks associated with maintaining this information is “never” reviewed. This issue is further compounded by 25% of firms taking part in the survey reporting that Boards never receive intelligence from their company’s senior cyber risk owner about who might be targeting the organisation.

On a more positive note, half the respondents to the Cyber Governance Health Check said their company has responded ‘Very well’ or ‘Quite well’ to cyber compromises and occurrences over the last year, while almost all (93%) felt that employees were now comfortable with reporting such compromises.

The cyber risk responsibility is placed firmly with the Board. 74% of Boards are said to take cyber risk very seriously.

However, given the ever-changing risk landscape there remains a degree of uncertainty around cyber threat with some 49% of respondents feeling there’s more companies can do to protect themselves from cyber threats.

Managing cyber risk: “More needs to be done”

Speaking about the survey results, Richard Horne (cyber security partner at PwC) explained: “To prosper in the digital world businesses absolutely have to manage their cyber security risk. It’s encouraging to see that most FTSE 350 companies place cyber risk firmly on the Board agenda. That said, in order for them to truly manage cyber risk more needs to be done.”

Elaborating on that last point, Horne commented: “As recent events have shown, the cyber security threat landscape continues to evolve at a fast pace. Boards of Directors must review their risk on a regular basis and ensure that the organisation is both managing its vulnerabilities and keeping pace with the sophistication and scale of the threat. Boards must develop the skills and capabilities to understand the impact of cyber threats on their organisations and shape the necessary strategic response.”

Importantly, Horne asserted: “In today’s digital world, securing key data and digital processes is now a core element of business management.”

Horne has also responded to the recent announcement concerning the establishment of a joint US and UK ‘cyber squad’. “As Prime Minister David Cameron and US President Barack Obama have pointed out, cyber attacks are a real threat to all businesses. In the digital world we now live in, all businesses rely on processes and data that’s stored electronically. Protecting that data and those processes is fundamental.”

Horne continued: “In helping global businesses build their defences and respond to breaches, we see the impact that a breach can have on a company that’s unprepared. However, it’s not an unmanageable risk. While attacks are becoming more sophisticated, so too are the defence mechanisms. With focused investment, preparation and the right skills companies can defend themselves by both preventing the majority of breaches and reacting rapidly and appropriately when incidents do happen.”

According to Horne, the financial costs of not acting can be crippling. “The average cost of an organisation’s worst security breach is rising significantly year on year,” he urged. “For smaller organisations, the worst breaches cost between £65,000 and £115,000 on average. For large organisations, that statistic is somewhere between £600,000 and £1.15 million.*

Due to the global nature of cyber risk, Horne is adamant that collaboration between the UK and US Governments is “paramount” when it comes to combating the threat.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts