Cyber-security is increasingly making its way into FTSE 350 boardrooms, which is a good thing. Still, boards are still missing management information and understanding of their critical assets, a new survey suggests.
According to a KPMG survey, done as part of the Government’s Cyber Governance Health Check, 49 per cent of companies consider cyber-security the biggest risk – up from 29 per cent two years ago.
Another metric has gone up – setting up goals – 33 per cent this year, up from 18 per cent which have had ‘clearly set and understood’ appetites.
On the other hand, there are still problems when it comes to management information needed to support cyber-risk discussion. Just slightly above a fifth (21 per cent) get “comprehensive, generally informative” management information on cyber-treats. At the same time, 17 per cent get “very little insight”.
“Cyber-attacks continue to pose a growing threat to business. While cyber security has made it onto the Board’s agenda, board judgements on risk are often based on incomplete and partial management information,” says David Ferbrache, Technical Director in KPMG’s cyber security practice.
“Many boards believe they now have a handle on the issue, but can often focus on governance and driving compliance. Taken to extremes, this can stand in the way of a flexible and agile response to an evolving threat and actually increase risk.”
For more than half of those surveyed (54 per cent), cyber-risk is something they seldom hear, every other year, or if something’s gone wrong, a metric which has not changed in a while now. However, companies are no longer considering cyber-security as just a technical thing.
Photo credit: Lichtmeister / Shutterstock