Since 2013, the UK Government has surveyed the UK’s top 350 companies to understand how they are managing their cyber risks. This year’s report has found that these businesses are now more aware of the importance of good cyber security, but warns that they must improve at a much faster rate if they are to stay ahead of future cyber security challenges.
Below we look at some of the main findings from this year’s report and discuss what it could mean for the future of cyber security, compliance and data protection.
Arguably, the most startling fact to come out of the report is the finding that 68% of companies have not received any training to deal with a cyber incident. Despite over a quarter (26%) having received some incident response training, a worryingly low 2% reported that they had received comprehensive training from their Board relating to incident response.
The report also found that more than a quarter of Boards have no defined role in a company-wide response to a cyber incident. This is simply not good enough in modern day enterprise. Protecting key information assets is of critical importance across all business functions today.
Board members should manage risks across their organisations drawing on senior management support, implementing risk management best practices and cultivating a risk-aware culture. By doing this, not only will businesses be safeguarding their prized assets, but they will also be gaining strategic and operational benefits.
The report has found that Boards are only occasionally considering GDPR in their meetings. This is a great cause for alarm as the clock ticks closer towards the implementation of GDPR on 25th May 2018. Looking specifically at Board level handling of GDPR, the largest proportion of respondents said that the matter has been discussed, but was not regular business (42%). This indicates that there is at least a general awareness of GDPR but when coupled with the report’s finding that only 13% of respondents said that GDPR was regularly considered by their board, this is worrying.
By now businesses should already be well on their way to finalising their GDPR plan. However, the report indicates that this is far from the case and there is a chance that panic will set in within FTSE 350 companies in the coming months to implement a plan in dealing with GDPR.
Despite these warnings, there is cause for some celebration within the report. There has been a notable increase in the understanding and awareness that Boards have of the potential impact that can result from a loss of, or disruption to, key information or data assets. This has increased from 49% in 2015/16 to 57% in this year’s report.
Concerning the information that Boards receive on cyber security, this year’s report found that 31% receive comprehensive and informative management information on cyber threats. Considering that this has increased from 21% in the previous year, this was a great source of positivity.
To conclude, it’s safe to say that this year’s FTSE 350 Cyber Governance Health Check Report is a mixed bag. There is a marked improvement within some areas, whilst others, like training and the introduction of GDPR, remain overlooked.
If you'd like to read the full report, you can do so here.
What did you think of this year’s report, did anything give you cause for great concern? Did anything strike you as particularly surprising?