FTSE Company Boards Struggle with Cybersecurity Management

Cybersecurity as an issue has made it to the Boardroom for FTSE 350 companies, but the lack of management information and an understanding of their critical assets still eludes boards.

In a survey carried out by KPMG as part of the Government’s Cyber-Governance Health Check, there was some positive information when it comes to management’s awareness of cyber-issues. Nearly half (49%) of businesses place cyber-risk as a top/group risk when compared with other risks that a company faces—up from the 29% who did so in 2014.  And 63% of boards clearly set out their risk management approach in their annual reports.

Boards are also more likely to explicitly set their appetite for cyber-risk than in previous years. One third (33%) had this “clearly set and understood,” an improvement on the 18% who did so in 2014.

Further, 16% of boards have a very clear understanding of where the company’s key information/data assets are shared with third parties—up from 11% in 2014. And about half (49%) of boards have a clear understanding of the potential impact of loss/disruption of key information and data assets. Gone are the days of cyber-security as “just a technical issue.” Only 15% of boards said they view cyber-risk as a technical topic that does not warrant board level discussions. This is a major improvement from the 26% in 2014 and 46% in 2013 who thought that way.

However, for all of that good news, it’s clear that it remains stubbornly difficult for boards to get good management information to support their risk discussions. Only a fifth (21%) of respondents said that they received “comprehensive, generally informative” management information on cyber-threats, while 17% received “very little insight.”

“Cyber-attacks continue to pose a growing threat to business,” David Ferbrache, technical director in KPMG’s cybersecurity practice. “While cyber-security has made it onto the Board’s agenda, board judgements on risk are often based on incomplete and partial management information. Many boards believe they now have a handle on the issue, but can often focus on governance and driving compliance. Taken to extremes, this can stand in the way of a flexible and agile response to an evolving threat and actually increase risk.”

Frustratingly, for just over a half of boards (54%), cyber-risk is a subject that they hear about occasionally—either bi-annually or when something has gone wrong. This is a similar proportion to 2014.

“We need to guard against complacency,” said Ferbrache. “Cyber-security is getting boardroom time, but that is far from the end of [the] journey. Businesses need to understand what their risk profile really looks like, and set their risk appetite in a way that it can be tested and monitored. Most of all, they need to understand how to improve the cyber-resilience of their organization and make sure they are ready to respond to a rapidly changing cyber-threat, quickly and confidently.”

He added, “Board members need to take collective responsibility for cyber-security and consider it in every aspect of the business. If they can do that, then perhaps cyber-security will become mainstream and a vital component of doing business in our digital world.”

InfoSeccutity-Magazine:

« The Death of the Password Is Upon Us
The Use Of Intelligent Deception in Cyber Security »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

InfoSecurity Magazine

InfoSecurity Magazine

Infosecurity Magazine has over ten years of experience providing knowledge and insight into the information security industry.

Mixed Mode

Mixed Mode

Mixed Mode is a specialist in embedded and software engineering for applications including IoT and secure embedded systems.

Checksum Consultancy

Checksum Consultancy

Checksum Consultancy specializes in Information security, Risk management, and IT governance.

Attack Research

Attack Research

We go far beyond standard tools and scripted tests. Find out if your network or technology can stand real-world and dedicated attackers.

CyberSaint Security

CyberSaint Security

CyberSaint’s CyberStrong Platform empowers organizations to implement automated, intelligent cybersecurity compliance and risk management.

Business Hive Vilnius (BHV)

Business Hive Vilnius (BHV)

BHV is one of the oldest startup incubator and technology hubs in the Baltics, primarily focused on hardware, security, blockchain, AI, fintech and enterprise software.

Cylera

Cylera

Cylera is a Healthcare IoT cybersecurity and intelligence company built in close partnership with healthcare providers.

SIA Group

SIA Group

SIA Group, an Indra company, combines Consulting, Systems Integration and Managed Services in four specialized business areas: Information Security, Storage, IT Management and IT Mobility.

IPKeys Technologies

IPKeys Technologies

IPKeys delivers innovative cybersecurity and technology solutions focused on helping the federal government reduce risk and protect the US from cyberattacks.

PacketViper

PacketViper

PacketViper’s Deception360 actively defends networks with deception-based threat detection and automated response to both external and internal cyber threats.

Hubify

Hubify

Hubify is an experienced, service-driven technology company specialising in business connectivity across mobile, data, voice, cloud, & cyber security solutions.

Northrop Grumman

Northrop Grumman

Northrop Grumman is a global provider and integrator of complex, advanced and rapidly adapting information technology, cybersecurity, mobility and optimized services and solutions.

Project Cypher

Project Cypher

Project Cypher leverages the latest cybersecurity developments, a world class team of hackers and constant R&D to provide you with unparalleled cybersecurity offerings.

Bluerydge

Bluerydge

Bluerydge specialises in cyber security and technology, focusing on the delivery of innovative sovereign solutions through trusted, cleared and experienced professionals.

Robust Intelligence

Robust Intelligence

Robust Intelligence enables enterprises to secure their AI transformation with an automated solution to protect against security and safety threats.

Mesh Security

Mesh Security

Mesh Security transforms security data, tools, and infra for enterprise-wide visibility and control.