A new report from the UK government has found that boards at some of the country’s largest companies do not understand the implications of cyber attacks.
The Cyber Governance Health Check, released yesterday, examined the cybersecurity measures taken by FTSE 350 businesses, the 350 largest listed UK companies listed on the London Stock Exchange. The report found that, although 96 per cent of the responding companies had some type of cybersecurity strategy in place and 95 per cent had a defined incident response plan in the event of a cyber attack, only 16 per cent of company boards showed a “comprehensive understanding” of the potential disruption and financial impact resulting from cyber attacks.
Digital Minister Margot James said: “The UK is home to world leading businesses but the threat of cyber attacks is never far away. We know that companies are well aware of the risks, but more needs to be done by boards to make sure that they don’t fall victim to a cyber attack. This report shows that we still have a long way to go but I am also encouraged to see that some improvements are being made. Cyber security should never be an add-on for businesses; and I would urge all executives to work with the National Cyber Security Centre and take up the government’s advice and training that’s available.”
While a full understanding on the part of board members was lacking, businesses as a whole demonstrated increased awareness of cyber risks, with 72 per cent acknowledging that the risk of online attacks was high: a significant rise from 54 per cent in 2017. 77 per cent of companies said their cybersecurity management had strengthened since the implementation of the EU’s General Data Protection Regulation in May 2018.
Ciaran Martin, CEO of the National Cyber Security Centre (NCSC), said: “Every company must fully grasp their own cyber risk – which is why we have developed the NCSC’s Board Toolkit to help them. This survey highlights some urgent issues companies will be able to address by putting our Toolkit’s advice into practice. Cyber security is a mainstream business risk, and board members need to understand it in the same way they understand financial or health and safety risks.”
The UK government advises businesses and their boards continue to develop their protections against and responses to cyber attacks; and recommends companies adhere to advice issued by the NCSC.