Poor communication between boards and front-line management as well as a growing reliance on legal remedies mean UK companies are still falling short when it comes to cyber-security.
A KPMG survey of FTSE 350 firms found that 61 per cent of board members reckoned they had a decent understanding of their company’s key information and data assets, with 55 per cent expressing confidence that they understood the potential impact of losing data.
However, when pressed further, two in three (65 per cent) admitted they rarely or never reviewed risk management policies designed to keep valuable company information and data assets secure. A quarter of respondents said they don't receive regular high level intelligence from company CIOs or heads of security about the threats their organisation faces.
The FTSE 350 were (collectively speaking) "lacking in direction about who should ultimately be responsible for cyber security," KPMG concludes. The survey was commissioned as part of the UK Government’s Cyber Governance Health Check.
Malcolm Marshall, global leader of KPMG’s cyber security practice, commented: "Cyber security may be moving up the Board agenda but clear communication between boards and management remains patchy at best. Regular board engagement on this issues is critical to ensuring companies remain alert to this growing threat."
"Alarmingly, just 39 per cent of board members saw cyber risk as an operational risk when comparing it to other threats their companies face. This is a clear indication that boards have some way to go to understanding the consequences that a cyber-attack can have on the brand and bottom-line," he added.
The survey found a rise in the percentage of firms conducting third party pre-contract due diligence as well as a rise in the number of firms inserting contract clauses in order to deal with suppliers and cyber risk. Nearly half (44 per cent) stated they conducted due diligence before signing contracts, up from only seven per cent in 2014. Meanwhile 48 per cent said they included clauses in their contracts covering cyber risk, up from 33 per cent in the same study last year.
Marshall said: "It’s fantastic to see such a huge jump in the number of companies pushing suppliers to review their cyber security as, with each link in the supply chain being tightened, the chances of a breach diminish. However, focusing on contractual obligations alone isn’t enough. Board members need to take collective responsibility for cyber security and consider it in every aspect of the business."
Brian Honan, an infosec consultant who founded and heads up the Republic of Ireland's Computer Security Incident Response Team, said security is still regarded by many boards as essentially a regulatory issue.
"It is interesting to see this rise in the number of boards that now looking at cyber risk," Honan told El Reg. "However, the low number who appear to be actually addressing and/or prioritising risks is still a concern and would make me wonder how many companies now have cyber risk as an issue as the result of regulatory requirements, such as edicts from the European Central Bank, against those who are genuinely concerned about the risk posed by cyber crime." ®