FTSE Company Boards Struggle with Cybersecurity Management

Cybersecurity as an issue has made it to the Boardroom for FTSE 350 companies, but the lack of management information and an understanding of their critical assets still eludes boards.

In a survey carried out by KPMG as part of the Government’s Cyber-Governance Health Check, there was some positive information when it comes to management’s awareness of cyber-issues. Nearly half (49%) of businesses place cyber-risk as a top/group risk when compared with other risks that a company faces—up from the 29% who did so in 2014.  And 63% of boards clearly set out their risk management approach in their annual reports.

Boards are also more likely to explicitly set their appetite for cyber-risk than in previous years. One third (33%) had this “clearly set and understood,” an improvement on the 18% who did so in 2014.

Further, 16% of boards have a very clear understanding of where the company’s key information/data assets are shared with third parties—up from 11% in 2014. And about half (49%) of boards have a clear understanding of the potential impact of loss/disruption of key information and data assets. Gone are the days of cyber-security as “just a technical issue.” Only 15% of boards said they view cyber-risk as a technical topic that does not warrant board level discussions. This is a major improvement from the 26% in 2014 and 46% in 2013 who thought that way.

However, for all of that good news, it’s clear that it remains stubbornly difficult for boards to get good management information to support their risk discussions. Only a fifth (21%) of respondents said that they received “comprehensive, generally informative” management information on cyber-threats, while 17% received “very little insight.”

“Cyber-attacks continue to pose a growing threat to business,” David Ferbrache, technical director in KPMG’s cybersecurity practice. “While cyber-security has made it onto the Board’s agenda, board judgements on risk are often based on incomplete and partial management information. Many boards believe they now have a handle on the issue, but can often focus on governance and driving compliance. Taken to extremes, this can stand in the way of a flexible and agile response to an evolving threat and actually increase risk.”

Frustratingly, for just over a half of boards (54%), cyber-risk is a subject that they hear about occasionally—either bi-annually or when something has gone wrong. This is a similar proportion to 2014.

“We need to guard against complacency,” said Ferbrache. “Cyber-security is getting boardroom time, but that is far from the end of [the] journey. Businesses need to understand what their risk profile really looks like, and set their risk appetite in a way that it can be tested and monitored. Most of all, they need to understand how to improve the cyber-resilience of their organization and make sure they are ready to respond to a rapidly changing cyber-threat, quickly and confidently.”

He added, “Board members need to take collective responsibility for cyber-security and consider it in every aspect of the business. If they can do that, then perhaps cyber-security will become mainstream and a vital component of doing business in our digital world.”

InfoSeccutity-Magazine:

« The Death of the Password Is Upon Us
The Use Of Intelligent Deception in Cyber Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Titus

Titus

Titus is a global leader in enterprise-grade data protection solutions.

Allegro Software

Allegro Software

Allegro provide secure software for the Internet of Things.

Cyber Security Raad (CSR) - Netherlands

Cyber Security Raad (CSR) - Netherlands

The Cyber Security Council (CSR) is a national, independent advisory body of the Dutch government undertaking efforts at strategic level to bolster cyber security in the Netherlands.

Center for Analysis & Investigation of Cyber-Attacks (CAICA)

Center for Analysis & Investigation of Cyber-Attacks (CAICA)

The Center for Analysis & Investigation of Cyber-Attacks is one of the leading Kazakhstan organisations in the field of information and computer security.

DigitalXRaid

DigitalXRaid

DigitalXRAID is driven and motivated to ensure the bad guys don’t win. We’re dedicated to providing our clients with state-of-the-art cyber security solutions.

Cybersecurity Professionals

Cybersecurity Professionals

Search vacancies from top cyber security jobs worldwide on CyberSecurity Professionals. View IT security jobs or upload your CV to be seen by recruiters from industry leading firms.

Beryllium InfoSec Collaborative

Beryllium InfoSec Collaborative

Beryllium InfoSec Collaborative is an information security and cyber security company with 40-plus years of experience across industry & government.

Consensys

Consensys

ConsenSys is a global blockchain company. We develop enterprise applications, invest in startups, build developer tools, and offer blockchain education.

Mendoza Ventures

Mendoza Ventures

Mendoza Ventures is a venture capital fund focusing on pre-seed Artificial Intelligence (AI), Fintech, and Cybersecurity startups.

doIT Solutions

doIT Solutions

doIT solutions specialize in IT security and infrastructure, security automation, data center, and cybersecurity.

HackNotice

HackNotice

HackNotice Teams is an all-in-one encompassing tool that monitors threats within your organization, different vendors, and third parties whose services you use.

Protect AI

Protect AI

Protect AI is a cybersecurity company focused on AI & ML systems. Through innovative security products and thought leadership in MLSecOps, we help our customers build a safer AI powered world.

IT Solutions Consulting

IT Solutions Consulting

IT Solutions is a full-service IT partner providing managed services and other information technology solutions nationwide.

Anch.AI

Anch.AI

Anch.AI is an Ethical AI Governance platform that helps you comply with EU regulations and avoid risks and penalties when developing and using AI as part of your business.

Q-Bird

Q-Bird

Q*Bird's mission is to provide equipment for the current, and future European quantum internet.

SOCRadar

SOCRadar

SOCRadar is an Extended Threat Intelligence (XTI) SaaS platform that combines External Attack Surface Management (EASM), Digital Risk Protection Services (DRPS), and Cyber Threat Intelligence (CTI).