Deloitte says just 20% of the FTSE 100 discloses cyber risk test details. Is this understandable, or inadequate?”
In a recent “letter from the future”, IBM Security’s General Manager Marc van Zadelhoff emphasised that an effective response to a cyber incident requires the kind of training and rehearsal you would get in a hospital preparing for a large-scale emergency.
Yet, as he puts it, “As we’ve seen with recent cyberattacks, often a company’s response can do more damage than the breach.”
To van Zadelhoff, crucially, any response to an attack needs to be integrated: “An effective response plan includes not just the security team’s role in detecting and remediating a breach, but how your organization reacts to regulators, your Board of Directors, law enforcement, clients, employees, the media and other constituents.”
With more and more companies facing everything from ransomware to sustained DDoS attacks at a growing frequency, the issue cannot be ignored.
Is Everyone Listening?
Yet despite this plea – repeated over the years by more than a few CTOs and CIOs – there appears to remain a gulf between those at the coal face of responding to an attack, and board level understanding of the need for an integrated response.
This may, in part, be down to a simple knowledge gap: just 8 percent of FTSE 100 companies have a board member with specialist technology or cyber security experience, according to new analysis from Deloitte.
The professional services specialist found that 57 percent disclose regular testing of overall crisis management, contingency or disaster recovery plans in their annual reports, but just 20% disclose details of specific cyber risk testing to find vulnerabilities in their IT systems.
Public Penetration Testing
Should such penetration testing results be disclosed?
To Deloitte, the answer is a clear “yes”. Phill Everson, head of cyber risk services at Deloitte UK, said: “The 20% of companies that disclosed testing for these vulnerabilities in our analysis demonstrate to investors that the company has ways to continually and proactively test for flaws, whilst also showing commitment in fixing them if identified.”
He added: “As we see GDPR regulations introduced from May 25th this year this becomes even more important as they require regulators to be notified within 72 hours of a breach. With just two months to go to GDPR, just 21% of companies disclosed in their annual report that they provided cyber security updates to the Board on a regular, monthly to bi-annual, basis. Greater disclosure of this in reports could identify more companies doing so.”
Giving Away Too Much?
Others are less sure: Fujitsu’s Rob Norris, VP Head of Enterprise & Cyber Security EMEIA, said: “There are no two ways about it – cyber-crime is a board level issue and business leaders should be proactive in getting to grips with how their organisation is defending against these attacks… “However, a reluctance to reveal cyber security plans more externally can often be explained. Whilst the forthcoming GPDR will require organisations be honest when a breach takes place, forcing companies to disclose details of specific cyber risk testing may be more difficult as it can allow hackers to understand what defences a company has in place.”
Chris Wallis, the founder and CEO of UK-based Intruder, which provides proactive vulnerability management for its client’s internet-facing systems, told Computer Business Review: “Whether companies choose to publish their approach to security is up to them. It’s unsurprising that some prefer to keep details to a minimum, but a complete absence of mention could be an indication that not enough is being done.”
He added: “The board doesn’t necessarily need to have a cyber expert on it, as long as they have one reporting to them. But what’s really shocking is how few of the UK’s largest companies have even assigned a role to take care of cyber security. Unless you put someone in charge, you can’t expect to have a robust security posture.”
As IBM’s Marc van Zadelhoff puts it: “Good security hygiene — from keeping software patches updated to scanning applications for vulnerabilities — still count, maybe more than ever. And from where I sit, not enough companies are focusing on the mundane, hard work of getting the basics right — 100 percent of the time. Any less than that will leave you open to an attack.”