FTSE Company Boards Struggle with Cybersecurity Management

Cybersecurity as an issue has made it to the Boardroom for FTSE 350 companies, but the lack of management information and an understanding of their critical assets still eludes boards.

In a survey carried out by KPMG as part of the Government’s Cyber-Governance Health Check, there was some positive information when it comes to management’s awareness of cyber-issues. Nearly half (49%) of businesses place cyber-risk as a top/group risk when compared with other risks that a company faces—up from the 29% who did so in 2014.  And 63% of boards clearly set out their risk management approach in their annual reports.

Boards are also more likely to explicitly set their appetite for cyber-risk than in previous years. One third (33%) had this “clearly set and understood,” an improvement on the 18% who did so in 2014.

Further, 16% of boards have a very clear understanding of where the company’s key information/data assets are shared with third parties—up from 11% in 2014. And about half (49%) of boards have a clear understanding of the potential impact of loss/disruption of key information and data assets. Gone are the days of cyber-security as “just a technical issue.” Only 15% of boards said they view cyber-risk as a technical topic that does not warrant board level discussions. This is a major improvement from the 26% in 2014 and 46% in 2013 who thought that way.

However, for all of that good news, it’s clear that it remains stubbornly difficult for boards to get good management information to support their risk discussions. Only a fifth (21%) of respondents said that they received “comprehensive, generally informative” management information on cyber-threats, while 17% received “very little insight.”

“Cyber-attacks continue to pose a growing threat to business,” David Ferbrache, technical director in KPMG’s cybersecurity practice. “While cyber-security has made it onto the Board’s agenda, board judgements on risk are often based on incomplete and partial management information. Many boards believe they now have a handle on the issue, but can often focus on governance and driving compliance. Taken to extremes, this can stand in the way of a flexible and agile response to an evolving threat and actually increase risk.”

Frustratingly, for just over a half of boards (54%), cyber-risk is a subject that they hear about occasionally—either bi-annually or when something has gone wrong. This is a similar proportion to 2014.

“We need to guard against complacency,” said Ferbrache. “Cyber-security is getting boardroom time, but that is far from the end of [the] journey. Businesses need to understand what their risk profile really looks like, and set their risk appetite in a way that it can be tested and monitored. Most of all, they need to understand how to improve the cyber-resilience of their organization and make sure they are ready to respond to a rapidly changing cyber-threat, quickly and confidently.”

He added, “Board members need to take collective responsibility for cyber-security and consider it in every aspect of the business. If they can do that, then perhaps cyber-security will become mainstream and a vital component of doing business in our digital world.”

InfoSeccutity-Magazine:

« The Death of the Password Is Upon Us
The Use Of Intelligent Deception in Cyber Security »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Wizard Computing

Wizard Computing

Wizard Computer Services is a full service IT solutions provider that offers managed services, consultation, installation, and support to small and large businesses in New England.

RHEA Group

RHEA Group

RHEA Group offers aerospace and security engineering services and solutions, system development, and technologies including cyber security.

Qualcomm Technologies

Qualcomm Technologies

Qualcomm invents breakthrough technologies that transform how the world connects, computes and communicates.

Privakey

Privakey

Transaction Intent Verification. Privakey delivers a secure channel to streamline high risk transactions, enabling digital trust between services and their users.

World Informatix Cyber Security (WICS)

World Informatix Cyber Security (WICS)

World Informatix Cyber Security provides a range of cyber security services to protect valuable information assets to global business and governments.

Blumira

Blumira

Blumira provides comprehensive, hybrid cloud security monitoring and reporting for organizations of all sizes, enabling them to detect and respond to cloud security threats quickly and effectively.

Zeva

Zeva

Zeva solves complex identity and encryption challenges for the federal government and corporations around the globe.

MindWise

MindWise

MindWise is a comprehensive global threat monitoring solution with implementations for fraud prevention and enterprise threat intelligence.

Certo Software

Certo Software

Certo are trusted experts in mobile security. At Certo, mobile security is not an afterthought, it’s what we do.

Bugv

Bugv

Bugv is a crowdsourcing cybersecurity platform powered by human intelligence where we connect businesses with cyber security experts, ethical hackers, bug bounty hunters from all around the world.

watchTowr

watchTowr

Continuous Attack Surface Testing, with the watchTowr Platform. The future of Attack Surface Management.

Ipstack

Ipstack

Ipstack offers one of the leading IP to geolocation APIs and global IP database services worldwide. Protect your site and web application by detecting proxies, crawlers or tor users at first glance.

Morpheus Enterprises

Morpheus Enterprises

Morpheus Enterprises offer managed security solutions designed to keep your web applications secure and your business running smoothly.

Verizon

Verizon

Verizon is a leader in IT technology solutions - Verizon Cloud, Networking, Security, Mobility, Machine-to-Machine (M2M), Advanced Communications and Professional Services.

Laneden

Laneden

Laneden specialise in helping organisations identify security concerns and quantify the risks you may have across your assets, using Penetration Testing, Threat Simulation and Compliance Testing.

NetSentries Technologies

NetSentries Technologies

NetSentries provide smart cybersecurity solutions and services to protect Governments, Enterprise and Individuals from threats through a comprehensive range of protocols, products and services.