The Government has issued the “2017 Cyber Governance Health Check” showing that FTSE 350 businesses are now more aware of the importance of good cyber security, but not improving their cyber maturity fast enough.
The Cyber Governance Health Check is a non-technical governance questionnaire which assesses the extent to which boards and audit committees of FTSE 350 companies understand and oversee risk management that address cyber security threat to their business. The annual survey was first carried out in 2013.
FTSE 350 businesses are now reported to be more aware of the importance of good cyber security which is encouraging news. According to the report organisations are now identifying that cyber security is an important aspect for protecting their services, reassuring the public on the safety of their personal data and for measuring the organisations own exposure to cyber risk.
Boards are increasingly taking responsibility for cyber security
The report shows that there has also been a significant positive culture change since the launch of the Cyber Governance Health Check Scheme in 2013 with decisions about cyber security increasingly being taken at board level. In the last year alone there has been a 10% increase in boards receiving management information on cyber risk, though this does still only represent 31% of boards in the scheme. The report suggests that the board should receive regular comprehensive management information on cyber risk in order to stay fully appraised of their organisation’s capability to handle cyber threats.
“Boards should ultimately be aiming to actively manage their organisation’s cyber risk profile throughout the year, such is the ever- present and significant threat posed towards FTSE 350 companies by cyber attacks.”
Boards now understand impacts of a cyber incident
“57% of respondents reported a clear understanding of the potential resulting impact of loss of / disruption to key information or data assets. This represents the first time that a majority of Health Check respondents reported a clear understanding of the possible impacts to their business from such an incident.”
Boards are now increasingly recognising the importance of the security of customer data and are regularly reviewing and challenging reports regarding this.
Board members trained to handle cyber incidents
The Health Check reports 90% of FTSE 350 companies have a plan in place to to respond to a cyber incident however 68% of board members say they have not received any training to deal with a cyber incident!
Having a Board member trained to handle a cyber incident sends a positive message throughout a business on the importance of being prepared to handle such problems. Businesses should therefore consider designating a Board lead on cyber incidents, or facilitating training for all Board members if deemed necessary.
GDPR – 6% are ‘completely ready’
The General Data Protection Regulation (GDPR) comes into force May 2018. The good news was that almost all respondents had some level of awareness around the new regulatory requirements, however only 6% could report that they were completely ready. 71% of organisations said that they were ‘somewhat prepared’ but the individuals rights to data deletion was cited as causing the most problems in being compliant (45%)
Cyber maturity needs to improve at a faster rate
The report showed a general improvement in cyber security, possibly triggered as a response to the high impacts of recent incidents like WannaCry and NotPetya attacks, but it also highlighted that cyber maturity amongst the FTSE 350 needs to improve at a faster rate to stay ahead of future cyber security challenges.tracker-report-2017_v6
See the report at Cyber Governance Health Check