FTSE 350 failing to grasp cyber risks
Less than a fifth (16%) of FTSE 350 boards have a comprehensive understanding of the impact of loss or disruption associated with cyber threats, despite almost all (96%) having a cyber security strategy in place, government research has found
5 Mar 2019
The government’s cyber governance health check looks at the approach the UK’s FTSE 350 companies take for cyber security.
The 2018 report shows that although the majority of businesses (95%) do have a cyber security incident response plan, only around half (57%) actually test them on a regular basis.
Awareness of the threat of cyber attacks has increased. Almost three quarters (72%) of respondents acknowledge the risk of cyber threats is high, compared with just over half (54%) in 2017. However, less than half, only 46%, have a dedicated cyber security budget.
Over three quarters (77%) said that board discussion and management of cybersecurity had increased since the implementation of the general data protection regulations (GDPR) in 2018. As a result over half of those businesses had also put in place increased security measures.
Digital minister Margot James said: ‘We know that companies are well aware of the risks, but more needs to be done by boards to make sure that they don’t fall victim to a cyber attack.’
James said a new project has been announced that will help companies understand their level of resilience. The cyber resilience metrics will be based on a set of risk-based principles to allow firms to measure and benchmark the extent to which they are managing their cyber risk profile effectively.
Once developed these indicators will provide board members with information to understand where further action and investment is needed.
Meanwhile, government is recommending the boards continue to make improvements to their cyber security. This includes using the guidance published by the National Cyber Security Centre (NCSC) to improve the management of risks.
Companies should also ensure that cyber risks are taken into account in their business strategy and appoint a chief information security officer (CISO) or other appropriately placed staff members who can clearly communicate information about cyber risks to the board.
Cyber Governance Health Check 2018 is here.
Report by Pat Sweet