Some of the UK’s most profitable firms are failing to ensure they are meeting proper security standards and will be able to manage the risks of a cyber attack, according to new figures.
Despite 74 percent of companies believing that their Boards were taking cyber security very seriously, a survey carried out by KPMG as part of the Government’s Cyber Governance Health Check uncovered a number of worrying discrepancies.
Overall, nearly 40 percent of FTSE 350 board members said they didn’t believe they possessed an ‘acceptable understanding’ of their company’s key information and data assets, and a further 55 percent said they understood the potential impact of losing any of it.
Additionally, a quarter of respondents said they never receive regular high level intelligence from company CIOs or Heads of Security on the types of online threats their businesses may face.
However, when pressed further only 24 percent said they regularly reviewed the risk management around valuable company information and data assets. Surprisingly, 65 percent said they rarely or never did so.
There also seemed to be widespread confusion over who in the company should ultimately be responsible for cyber security. Only 16 percent of respondents said the buck should stop with the Chief Executive Officers, and 31 percent said Chief Financial Officers should shoulder the responsibility.
Only 15 percent believed that the responsibility sat with the Chief Information Officer.
“Cyber security may be moving up the Board agenda but clear communication between Boards and management remains patchy at best,” said Malcolm Marshall, global leader of KPMG’s cyber security practice. “Regular Board engagement on this issues is critical to ensuring companies remain alert to this growing threat.”
“Alarmingly, just 39 percent of Board members saw cyber risk as an operational risk when comparing it to other threats their companies face. This is a clear indication that Boards have some way to go to understanding the consequences that a cyber-attack can have on the brand and bottom-line.”
The study also found a significant increase in the number of FTSE 350 firms carrying out due diligence on third party providers before signing contracts, with nearly half (44 percent) saying they do so, a significant increase from just 7 percent last year.
Overall, 48 percent said they had inserted clauses in their contracts on cybersecurity risk, up from a third in 2014.
“It’s fantastic to see such a huge jump in the number of companies pushing suppliers to review their cyber security as, with each link in the supply chain being tightened, the chances of a breach diminish,” said Marshall. “It’s also clear that steps can be taken in a short space of time if organisations work together, giving real genuine hope of progress for companies of all sizes. However, focusing on contractual obligations alone isn’t enough. Board members need to take collective responsibility for cyber security and consider it in every aspect of the business. If they can do that, the baby steps made to date will turn into huge strides on the path towards great cyber security.”
What do you know about Internet security? Find out with our quiz!