Skip to main content

FTSE 350 firms must take cyber risks seriously, says Government

This article was originally published on Technology.Info.
As part of our continuing strategy for growth, ITProPortal has joined forces with Technology.Info to help us bring you the very best coverage we possibly can.

The results from the UK Government’s Cyber Governance Health Check survey are in - and its findings suggest that FTSE 350 directors still have a lot of work to do to better understand the cyber risks that their businesses face.

While 64 percent of board chairs told the Department of Business, Innovation and Skills (BIS) that their board colleagues take cyber risk “very seriously”, there’s evidence that they might be overestimating the time and attention actually spent on the issue.

In fact, only 14 percent of those on FTSE 350 boards regularly consider cyber threats, says the research. Three-quarters of board-level respondents, meanwhile, admit they have received no cyber or information security training in the last 12 months, and eight out of ten say none of their board colleagues have, either. When it comes to companies’ business-risk registers, meanwhile, just over half (56 percent) include a cyber-risk category.

Even board chairs admit to problems: four out of ten say that the main board does not receive regular threat intelligence from the CIO or head of security and less than half (48 percent) say that the board has a clear understanding of the potential impact of information and data asset loss.

The Cyber Governance Health Check was launched earlier this year in support of the UK Government’s UK Cyber Security Strategy. Its first stage is the ‘Tracker’ - a web-based tool to assess and report levels of cyber security awareness and preparedness at the upper echelons of FTSE 350 companies. Completion of the Tracker has resulted in the aggregated report released on 26 November. Individual benchmarking reports for each participating company, meanwhile, have been kept confidential.

The Government plans to repeat the Tracker in the future in order to chart governance behaviours across the economy, enabling further benchmarking as both threats and mitigation best practice develops.

The second stage of this process, meanwhile, is the ‘Diagnostic’ - an audit-based tool that builds on the results of the tracker by putting participating companies in touch with representatives from audit firms BDO, Deloitte, Ernst & Young, Grant Thornton, KPMG and PricewaterhouseCoopers, enabling them to work together on strategies for risk mitigation and IT security best practice. This stage, according the Department of Business, Innovation and Skills, will be rolled out over the next six months.

In order to tackle the growing threat to UK businesses from cyber criminals, the Government is working with industry on developing an official ‘cyber standard’ that it claims will help “stimulate the adoption of good cyber practices among businesses. This will be launched early next year.

“The cyber standard will promote excellence in tackling cyber risks, help businesses better understand how to protect themselves, and ultimately increase the nation’s collective cyber security,” said David Willetts, Science Minister in the UK