Two-thirds of large UK businesses are hit by cyber security attacks, but directors aren’t told about them, according to a government sponsored report.
The latest FTSE Cyber Governance Health Check survey, which was carried out by KPMG, revealed that boardrooms lack understanding because they do not have good information on the subject.
Only 21% of respondents said they received “comprehensive, generally informative” management information on cyber threats, and 17% said they received “very little insight”.
“While cyber security has made it onto the board’s agenda, board judgements on risk are often based on incomplete and partial management information,” said David Ferbrache, technical director in KPMG’s cyber security practice.
He said many boardrooms think they have it under control, but they might miss new threats because they focus heavily on governance and compliance.
“Taken to extremes, this can stand in the way of a flexible and agile response to an evolving threat and even increase risk,” added Ferbrache.
Following the report, digital economy minister Ed Vaizey said too many firms are losing money, data and consumer confidence due to cyber attacks.
“It’s absolutely crucial businesses are secure and can protect data. As a minimum, companies should take action by adopting the government’s Cyber Essentials scheme, which will help them protect themselves.”
More than half (54%) of respondents said they only hear about cyber security twice a year or when there is a security incident, which is similar to the figure in the 2014 survey.
But acknowledgement of the importance of cyber security is filtering to the boardroom, according to this year’s survey.
In 2013, nearly half of boardrooms said they had heard about cyber security once or twice or view cyber risk as a technical topic that does not warrant board-level discussions. In 2014, more than a quarter (26%) also reflected these opinions. However, this year only 15% responded this way.
Ferbrache said it is important to guard against complacency. “Cyber security is getting boardroom time, but that is far from the end of journey.”
He said businesses need to understand what their risk profile looks like and set their risk appetite in a way that it can be tested and monitored.
“They need to understand how to improve the cyber resilience of their organisation and make sure they are ready to respond to a rapidly changing cyber threat, quickly and confidently,” he said.
Information is essential because only 16% of boards have a very clear understanding of where the company’s key information/data assets are shared with third parties, according to the survey. This is an improvement on the 11% in 2014, but still low.
Image and Copy Courtesy of computerweekly.com