A survey carried out by KPMG as part of the Government’s Cyber Governance Health Check, reveals that 74% of companies thought that their Boards were taking cyber security very seriously, however, there is confusion over who should take responsibility for it.
61% of Board members believe they have an acceptable understanding of their company’s key information and data assets, with a further 55% saying they understood the potential impact of losing that data..
Only 24% said they regularly reviewed the risk management around valuable company information and data assets. Despite understanding the importance of the risk management, 65% said they rarely or never reviewed it.
A quarter of respondents said they never receive regular high level intelligence from CIO’s or Head of Security on the types of online threats their business may face.
Despite focusing on the importance of getting cyber security right, only 16% of the FTSE 350 said that the responsibility should lie with CEO’s; 31% said the responsibility is that of the CFO’s and only 15% believed that the responsibility sat with the CIO.
Malcom Marshall, global leader of KPMG’s cyber security practice, says: "Cyber security may be moving up the Board agenda but clear communication between Boards and management remains patchy at best. Regular Board engagement on this issues is critical to ensuring companies remain alert to this growing threat."
"Alarmingly, just 39 percent of Board members saw cyber risk as an operational risk when comparing it to other threats their companies face. This is a clear indication that Boards have some way to go to understanding the consequences that a cyber-attack can have on the brand and bottom-line."
One particular trend revealed by the numbers was a major jump in the proportion of companies conducting third party pre-contract due diligence, in the past year. 44% stated they conducted due diligence before signing contracts, up from only 7% in 2014.
Meanwhile 48% said they included clauses in their contracts covering cyber risk, up from 33% last time.
Marshall said: "It’s fantastic to see such a huge jump in the number of companies pushing suppliers to review their cyber security as, with each link in the supply chain being tightened, the chances of a breach diminish. It’s also clear that steps can be taken in a short space of time if organisations work together, giving real genuine hope of progress for companies of all sizes."
"However, focusing on contractual obligations alone isn’t enough. Board members need to take collective responsibility for cyber security and consider it in every aspect of the business. If they can do that, the baby steps made to date will turn into huge strides on the path towards great cyber security."