The UK’s biggest boards are still clueless when it comes to cyber issues according to a new study.
The Government’s Cyber Governance Health Check looks at the approach the UK’s FTSE 350 companies take for cybersecurity. The 2018 report published today shows that less than a fifth of boards has a comprehensive understanding of the impact of loss or disruption associated with cyber threats. That’s despite almost all (96 percent) having a cybersecurity strategy in place.
While most also have a cybersecurity incident response plan, only around half test them regularly.
Digital Minister Margot James said: “The UK is home to world-leading businesses, but the threat of cyber attacks is never far away. We know that companies are well aware of the risks, but more needs to be done by boards to make sure that they don’t fall victim to a cyber attack.
“This report shows that we still have a long way to go, but I am also encouraged to see that some improvements are being made. Cybersecurity should never be an add-on for businesses, and I would urge all executives to work with the National Cyber Security Centre and take up the government’s advice and training that’s available.
Awareness of the threat of cyber attacks has increased. Almost three-quarters of respondents acknowledge the risk of cyber threats is high, which is a significant improvement of only just over half (54 per cent) in 2017.
The implementation of the General Data Protection Regulations (GDPR) in 2018 has had a positive effect in increasing the attention that boards are giving cyber threats. Over three quarters of those responding to last years, health check said that board discussion and management of cybersecurity had increased since GDPR. As a result over half of those businesses had also put in place increased security measures.
Ciaran Martin, CEO of the NCSC, said: “Every company must fully grasp their own cyber risk – which is why we have developed the NCSC’s Board Toolkit to help them. This survey highlights some urgent issues companies will be able to address by putting our Toolkit’s advice into practice. Cybersecurity is a mainstream business risk, and board members need to understand it in the same way they understand financial or health and safety risks.”