The latest Government Cyber Governance Health Check has revealed that the top UK Boards still don’t understand the impact of a cyber attack on their business. Fewer than one-in-five Boards can claim to understand the impact of loss or disruption associated with cyber threats, despite 96% of them having a cyber security strategy in place.
The report shows that the full implementation of the European Union’s (EU) General Data Protection Regulation (GDPR) having a positive effect in increasing attention towards cyber threats, with more than three-quarters (77%) of respondents saying that Board discussion and management of cyber security had increased since the implementation of the GDPR. However, the understanding seemingly isn’t there.
The Government’s Digital Minister Margot James said: “The UK is home to world-leading businesses, but the threat of cyber attacks is never far away. We know that companies are well aware of the risks, but more needs to be done by Boards to make sure that they don’t fall victim to a cyber attack. This report shows that we still have a long way to go, but I’m also encouraged to see that some improvements are being made. Cyber security should never be an add-on for businesses. I would urge all executives to work with the National Cyber Security Centre and take up the Government’s advice and training that’s available.”
Ciaran Martin, CEO of the National Cyber Security Centre (NCSC), stated: “Every company must fully grasp their own cyber risk, which is why we have developed the NCSC’s Board Toolkit to help them. This survey highlights some urgent issues companies will be able to address by putting our Toolkit’s advice into practice. Cyber security is a mainstream business risk, and Board members need to understand it in the same way they understand financial or Health and Safety-related risks.”
Too much exposure for organisations
Adenike Cosgrove, cyber security strategist for EMEA at Proofpoint, commented: “The EU has shown that it’s far from toothless when it comes to dishing out fines for non-compliance with the GDPR. Google’s £44 million fine in January is a perfect example of that. The latest FTSE 350 Cyber Governance Health Check 2018* states that 77% of companies reported that Board-level discussion and management of cyber security had increased since the GDPR. While this is encouraging to see, there’s still too much exposure for organisations when it comes to data governance.”
Cosgrove added: “It’s clear organisations are not confident that their GDPR compliance strategy is fit for purpose, while a worrying number of companies have yet to take initial steps to fix this business issue. Having complete visibility into highly regulated data, the systems that process that data and identifying who within your business has access to that data is the bare minimum.”
In conclusion, Cosgrove informed Risk Xtra: “With today’s threats targeting the human factor and phishing representing 93% of breaches according to Verizon’s latest report, it’s critical for companies to build a people-centric security and compliance strategy. The Google fine should have been enough to convince any Board that regulations around data security are not to be taken lightly. Boards should be committing resources to become GDPR compliant if their organisation isn’t already there.”
Companies should ensure that cyber risks are taken into account in their business strategy and appoint a Chief Information Security Officer or other appropriately-placed staff member who can clearly communicate information about cyber risks to the Board.
Effective cyber security strategies
In response to the UK Government’s findings, Jake Olcott (vice-president of Government affairs at BitSight and who has previously served as legal advisor to the Senate Commerce Committee and as counsel to the House of Representatives’ Homeland Security Committee) observed: “An effective cyber security strategy must receive Board-level approval. Too many organisations leave cyber risk management to IT or IT security professionals. This approach can result in poor prioritisation, misplaced resources and other failures. Those organisations with executive and Board support for cyber risk management are more likely to be successful in reducing risk.”
He added: “There are crucial cyber risk management steps that companies should take to mitigate the risk of a cyber attack. These include examining the cyber incidents that could have a major reputational and economic impact on the organisation, running a security incident exercise and, crucially, making sure that the Board is brought up to speed on the effectiveness of cyber security programmes. To mitigate cyber risk on day-to-day basis, organisations must constantly monitor their diligence at implementing security Best Practice and user behaviour.”
Olcott went on to state: “It’s also important that organisations know their industry’s security performance standards and perform peer and sector-wide security benchmarking. Traditional approaches to cyber assessment, such as point-in-time security audits and compliance reviews, provide only a limited internal security performance analysis with no insight into industry-wide standards for a comprehensive, real-time comparative assessment.”
*The annual FTSE 350 Cyber Governance Health Check assesses and reports on cyber security risk management in the UK’s 350 largest firms. For its fifth iteration, the Department for Digital, Culture, Media and Sport worked with Deloitte, EY, KPMG and PwC to deliver the 2018 Cyber Health Check. The research was carried out in October and November 2018, with the final report published this month