Just 1% of FTSE 350 companies feel they have the expertise and knowhow to navigate innovation and risk in the digital world, according to the results of a health check devised by MI5, GCHQ and the Department for Business, Innovation and Skills (BIS).The FTSE 350 ‘Cyber Governance Health Check’, which also had input from PriceWaterhouseCoopers (PwC), assessed the cyber-risk savvy of FTSE 350 boards and audit committees.
If the countless and highly consequential cyber breaches of recent years should alarm big business, there’s no sign of it in this poll. Although nearly nine in 10 (88%) of those canvassed have a cyber risk category within their strategic risk register, 71% do not consider cyber a ‘top risk’.
Some 92% of respondents say their boards have a clear or acceptable understanding of the value of key information and data assets, but one in three say the risks associated with maintaining this information is “never” reviewed. A quarter (25%) of firms admitted that boards never receive intelligence about who might be targeting the organisation from their company’s senior cyber risk owner.
Fifty percent of respondents believed they had responded ‘very’ or ‘quite well’ to cyber compromises and breaches over the last 12 months and 93% felt that employees were comfortable with reporting suspected threats. Seventy four percent claimed their boards took the threat of cyber crime ‘very seriously’.
Asked if they felt their company could do more to protect itself against breaches, 49% agreed.
“To prosper in the digital world, businesses have to manage their cyber security risk and so it is encouraging to see that most FTSE 350 companies place cyber risk firmly on the board agenda,” says Richard Horne, cyber security partner at PwC. “However, to truly manage cyber risk more needs to be done.
“As recent events have shown, the cyber security threat landscape continues to evolve fast. Boards must review their risk regularly and ensure that the organisation is managing its vulnerabilities and keeping pace with the sophistication and scale of the threat. Boards must develop the skills and capabilities to understand the impact of cyber threats on their organisation and shape the necessary strategic response.
“In today’s digital world, securing key data and digital processes is now a core element of business management.”
Asked about the recent announcement of a joint US -UK ‘cyber squad, Horne said:
“As the Prime Minister and US President point out, cyber attacks are a real threat to all businesses. In the digital world we now live in, all businesses rely on processes and data that is stored electronically. Protecting that data and those processes is fundamental, and now a core part of business management.
“In helping global businesses build their defences and respond to breaches, we see the impact that a breach can have on a company that is unprepared. However, it is not an unmanageable risk; whilst attacks are becoming more sophisticated, so too are defences. With focused investment, preparation and the right skills companies can defend themselves by both preventing the vast majority of breaches, and reacting rapidly and appropriately when incidents do happen.
“The financial costs of not acting can be crippling. The average cost of an organisation’s worst security breach is rising significantly year on year.
“For small organisations, the worst breaches cost between £65,000 and £115,000 on average and for large organisations between £600,000 and £1.15 million.*
“Due to the global nature of cyber risk, collaboration between the UK and the US is paramount to combatting the threat.”
