FTSE Company Boards Struggle with Cybersecurity Management

Cybersecurity as an issue has made it to the Boardroom for FTSE 350 companies, but the lack of management information and an understanding of their critical assets still eludes boards.

In a survey carried out by KPMG as part of the Government’s Cyber-Governance Health Check, there was some positive information when it comes to management’s awareness of cyber-issues. Nearly half (49%) of businesses place cyber-risk as a top/group risk when compared with other risks that a company faces—up from the 29% who did so in 2014.  And 63% of boards clearly set out their risk management approach in their annual reports.

Boards are also more likely to explicitly set their appetite for cyber-risk than in previous years. One third (33%) had this “clearly set and understood,” an improvement on the 18% who did so in 2014.

Further, 16% of boards have a very clear understanding of where the company’s key information/data assets are shared with third parties—up from 11% in 2014. And about half (49%) of boards have a clear understanding of the potential impact of loss/disruption of key information and data assets. Gone are the days of cyber-security as “just a technical issue.” Only 15% of boards said they view cyber-risk as a technical topic that does not warrant board level discussions. This is a major improvement from the 26% in 2014 and 46% in 2013 who thought that way.

However, for all of that good news, it’s clear that it remains stubbornly difficult for boards to get good management information to support their risk discussions. Only a fifth (21%) of respondents said that they received “comprehensive, generally informative” management information on cyber-threats, while 17% received “very little insight.”

“Cyber-attacks continue to pose a growing threat to business,” David Ferbrache, technical director in KPMG’s cybersecurity practice. “While cyber-security has made it onto the Board’s agenda, board judgements on risk are often based on incomplete and partial management information. Many boards believe they now have a handle on the issue, but can often focus on governance and driving compliance. Taken to extremes, this can stand in the way of a flexible and agile response to an evolving threat and actually increase risk.”

Frustratingly, for just over a half of boards (54%), cyber-risk is a subject that they hear about occasionally—either bi-annually or when something has gone wrong. This is a similar proportion to 2014.

“We need to guard against complacency,” said Ferbrache. “Cyber-security is getting boardroom time, but that is far from the end of [the] journey. Businesses need to understand what their risk profile really looks like, and set their risk appetite in a way that it can be tested and monitored. Most of all, they need to understand how to improve the cyber-resilience of their organization and make sure they are ready to respond to a rapidly changing cyber-threat, quickly and confidently.”

He added, “Board members need to take collective responsibility for cyber-security and consider it in every aspect of the business. If they can do that, then perhaps cyber-security will become mainstream and a vital component of doing business in our digital world.”

InfoSeccutity-Magazine:

« The Death of the Password Is Upon Us
The Use Of Intelligent Deception in Cyber Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NATO Communications and Information Agency (NCIA)

NATO Communications and Information Agency (NCIA)

The NCIA Cyber Security Service Line is responsible for planning and executing all life cycle management activities for cyber security.

Team8

Team8

Team8 is Israel’s most prestigious cybersecurity think tank and venture creation foundry.

Smart Contract Security Alliance

Smart Contract Security Alliance

The Smart Contract Security Alliance supports the blockchain ecosystem by building standards for smart contract security and smart contract audits.

BI.ZONE

BI.ZONE

BI.ZONE creates high-tech products and solutions to protect IT infrastructures and applications, and provides services from cyber intelligence and proactive defence to cybercrime investigation.

GroupSense

GroupSense

GroupSense helps governments and enterprises take control of digital risk with cyber reconnaissance, counterintelligence and monitoring for breached credentials.

Upper Peninsula Cybersecurity Institute - Northern Michigan University

Upper Peninsula Cybersecurity Institute - Northern Michigan University

Upper Peninsula Cybersecurity Institute at Northern Michigan University offers non-degree and industry credentials relevant to emerging careers in cybersecurity.

Astaara

Astaara

Astaara is an integrated insurance services and risk management advisory business incorporating cyber risk advisory, underwriting and analytics.

Authomize

Authomize

Authomize aggregates identities and authorization mechanisms from any applications around your hybrid environment into one unified platform so you can easily and rapidly manage and secure all users.

NetApp Excellerator

NetApp Excellerator

NetApp Excellerator is NetApp’s global start-up program that aims to fuel innovation by partnering with deep-tech start-ups.

Research Institute in Secure Hardware and Embedded Systems (RISE)

Research Institute in Secure Hardware and Embedded Systems (RISE)

The UK Research Institute in Secure Hardware and Embedded Systems (RISE) seeks to identify and address key issues that underpin our understanding of Hardware Security.

DNX Ventures

DNX Ventures

Based in Silicon Valley and Tokyo, DNX Ventures is an early stage VC for B2B startups in sectors including Cybersecurity.

Talion

Talion

Talion aim to reduce the complexity involved in securing your organisation and to give security teams unrivalled visibility into their security operations, so they can make optimal decisions, fast.

KSOC Labs

KSOC Labs

KSOC is an event-driven SaaS platform built to automatically remediate Kubernetes security risks.

Silent Quadrant

Silent Quadrant

Silent Quadrant delivers incomparable cybersecurity consulting, digital transformation, and risk management within our purpose-driven clients - empowering them to be the most resilient entities.

Acclaim Technical Services (ATS)

Acclaim Technical Services (ATS)

ATS provide operational products, services and solutions to the defense and intelligence communities for all types of critical mission needs.

Finlaw Associates

Finlaw Associates

Finlaw Associates is a trusted cybercrime law firm providing a wide range of taxation, legal, advisory and regulatory services to the financial, commercial and industrial communities.