Interviews

Cyber immature in UK boardrooms

by Mark Rowe

A third, 38 per cent of C-suite executives in the telecoms, utilities, financial services and retail sectors, believe a cyber security breach at their organisation is likely over the next 12 months. Thatis according to a newly commissioned research study by the IT firm CGI.

These businesses estimate that if their most valuable data were lost or corrupted, the average total cost over a year would be £1.2m. Incorporating economic analysis by the Centre for Economics & Business Research the study finds that the telecoms and utilities sectors are significantly exposed when compared to other key sectors of the economy (banking, insurance and retail).

On average, almost 30 per cent of UK boardrooms in the UK’s key sectors of the economy (telecoms, utilities, finance and retail sectors) still view cyber security as an IT issue. On average a minority, only 35 per cent of boardroom executives believe their board has a high level of personal expertise in cyber security. This figure drops to just 23 per cent for Non-Executive Directors (NEDs), suggesting the traditional role played by NEDs to offer ‘constructive challenge’ isn’t effective when it comes to managing cyber security risk, the IT firm suggests.

Less than half of UK boardrooms are confident in the IT security advice they receive. While boards in these key sectors rely on externally sourced cyber expertise for 15 per cent of their requirements on average, 68 per cent confirmed they plan to increase reliance on external consultants over the next few years.

Attacks on IT have encouraged 81 per cent of UK boardrooms across the UK economy’s key sectors to increase cyber security scrutiny. However, cyber security only appears on the agenda of 48 per cent of these boards ‘every few months’ with many covering it less than twice a year. Across the sectors surveyed, companies told us they assign ultimate responsibility for cyber security to CEOs (38 per cent) and CIOs (31 per cent) in the vast majority of cases, with specialist CISOs being empowered at just a handful of firms (3 per cent). Interestingly, CEOs are the preferred choice for B2B companies whilst CIOs are overwhelmingly responsible at B2C firms.

Econometric modelling of the anticipated severity of an attack and the likelihood of an attack, found that the telecoms sector is most at risk, closely followed by utilities. The model uses a combination of perceptions of the nature of sensitive information stored, the value of such data, the expenditure on defending against attacks and the overall awareness of risk to the company and sector to derive an objective risk rating.

The telecoms sector sees itself lagging behind others with the lowest level of boardroom cyber security expertise. Just 29 per cent of telecom boards are viewed as having a high degree of expertise, while firms in this sector hold sensitive data with an average estimated value to the company of over £42m. Relative to other key sectors of the economy examined, telecoms respondents were also the least confident about the risk of attack this year; with 52 per cent believing their company was likely to experience a significant breach in the next 12 months. Perhaps in response, 76 per cent of boards plan in this sector to increase their use of external cyber security expertise and on average, the sector plans to increase cyber security investment by boosting technology and personnel spend by 12 per cent this year, compared to 7 per cent in sectors such as retail and insurance that perceive cyber risk to be less urgent.

Utilities are also at relatively high risk, with boards discussing cyber security least often – in 40 per cent of utilities firms the issue makes the boardroom agenda just twice each year. Companies in the sector hold sensitive data estimated at over £50m on average but were found to be significantly behind other sectors in terms of having robust plans in place to handle a cyber event, with just one in five respondents confirming their firm’s cyber crisis management plan is well developed. Utilities firms plan to increase cyber security investment by 14 per cent, the second highest increase after banking, and over 70 per cent of utilities boards plan to look to external consultants to support their plans over the next few years.

Comment

Andrew Rogoyski, Head of cyber security, CGI in the UK said: “UK boardrooms are struggling to get a handle on the cyber security issue. Boards know it is a risk but are uncertain in their approach, often failing to prioritise spend on cyber security. Unless more is done to improve understanding and governance at the highest level we can expect to see more high profile breaches.” He continued: “Encouragingly our research shows that boards do now appear to be taking cyber security more seriously with planned increases in scrutiny, investment and external advice. Based on Cebr’s analysis it is clear that the telecoms and utilities industries in particular must accelerate these efforts, which is consistent with recent UK, US and European government action to improve the protection of critical national infrastructure.”

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing