The UK’s top companies are not considering cyber risks in their decision making, according to a new survey from the Department for Business, Innovation & Skills (BIS). For the 64-page report in full click here.
The survey of FTSE 350 firms showed only one in seven, 14 per cent are regularly considering cyber threats, with a significant number not receiving any intelligence about cyber criminals.
However 62 per cent of companies think their board members are taking the cyber risk very seriously, and 60pc understand what their key information and data assets are.
David Willetts, Science Minister, said: “The cyber crime threat facing UK companies is increasing. Many are already taking this extremely seriously, but more still needs to be done. We are working with businesses to encourage them to make cyber security a board-level responsibility.”
To tackle what the Coalition terms a growing threat the Government says that it’s working with industry to develop an official ‘cyber standard’ to help stimulate the adoption of good cyber practices among business.
Backed by industry, the kitemark-style standard will be launched early next year, as part of the £860 million cross-government National Cyber Security Programme.
Mr Willetts added: “The cyber standard will promote excellence in tackling cyber risks, help businesses better understand how to protect themselves, and ultimately increase the nation’s collective cyber security.
BIS’s cyber governance health check was sent to the chairs of the audit committee of the FTSE 350 companies in August 2013 via the six largest audit firms. Each company which completed the survey will be offered follow-up advice from one of the firms, based on their responses. The anonymous results, published by BIS, also show:
25 per cent of companies considered cyber a top risk;
39pc had used the government’s 10 steps cyber security guidance;
56pc have cyber on the risk register; and
17pc have clearly set what they see as an acceptable level of cyber risk.
One in ten responding stated that their boards reviewed their strategic risk register at every meeting, the majority covering this annually (40 per cent) or bi-annually (31pc). The CFO (chief financial officer) was named as the most senior “risk owner” for cyber issues by 30pc of respondents, while 23pc named the Chief Executive Officer and 22pc of respondents identified the head of IT. A mere 2pc of respondents said their companies had signed up to the World Economic Forum (WEF) “Partnering for Cyber Resilience” principles. Three in ten (31pc) of respondents were able to confirm that their company had contract clauses with their suppliers and other third parties regarding cyber risk, while 14pc had other arrangements such as pre-contract due diligence, third party audit and third party self assessments. Many respondents were unaware of the level of cyber incidents experienced by their company in the last year, while 39pc thought it was roughly the same as the previous year, with 24pc reporting a slight increase, and only one in 20 (5pc) noting a significant increase on the previous year. The full 63-page report is on this link – https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/260934/bis-13-1293-ftse-350-cyber-governance-health-check-tracker-report.pdf
The Coalition’s cyber-governance health check comes in two halves: the ‘Tracker’, a web-based tool to assess and report cyber security awareness and preparedness across the FTSE 350; and the ‘Diagnostic’, an audit-based tool which builds on the results of the Tracker. The Government is working on both with the six firms which audit the FTSE 350: BDO, Deloitte, EY, Grant Thornton, KPMG and PwC.
Comment
Ashish Patel, Regional Director at Stonesoft, a McAfee Group company, said: “How cyber security awareness extends within an organisation beyond the boardroom needs to be assessed. This is especially true of the FTSE 350, which arguably handle most of the UK’s sensitive business data and are the most sought-after prize from a cyber-criminal’s point-of-view. In developing the kitemark-style standard, the Government needs to ensure a focus on the formation of an entire security-aware workforce, whereby all employees are regularly engaged, educated and empowered to report risky behaviour and potential threats. Those on the ground need to be tuned into the dangers organisations are exposed to online, and how to tackle these, just as much as the C-suite.”
For the full report click this link – https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/260934/bis-13-1293-ftse-350-cyber-governance-health-check-tracker-report.pdf
And at the audit firm EY Mark Brown, Director of Information Security, said: “With 66 per cent of UK businesses reporting an increase in cyber incidents, according to our latest Global Information security Survey, the announcement of a cyber security standard from the UK Government is a welcome move. For a long time, businesses have known that they need to act to tackle this increasing threat, but they have been missing a robust framework to guide them through the complex, and to an extent unknown, cyber landscape. The organisational standard for cyber security will bring the first major step in that much awaited clarity.
“However, now that the penny has dropped, our collective efforts need to focus on ensuring high levels of take up from the business community. Admittedly, businesses need to accept a shift in culture when it comes to dealing with the reality of the cyber threat. They need to look at the cyber-criminal community, learn from their practises, and move away from their, so far, defensive approach to a more proactive stance. However, until we get to that point of maturity, the UK Government should explore every option available, from tax incentives to assistance funding, to ensure the maximum number of firms adopt and benefit from this initiative.”
