FTSE Company Boards Struggle with Cybersecurity Management

Uploaded on 2016-06-19 in NEWS-Cybersecurity News, FREE TO VIEW

Cybersecurity as an issue has made it to the Boardroom for FTSE 350 companies, but the lack of management information and an understanding of their critical assets still eludes boards.

In a survey carried out by KPMG as part of the Government’s Cyber-Governance Health Check, there was some positive information when it comes to management’s awareness of cyber-issues. Nearly half (49%) of businesses place cyber-risk as a top/group risk when compared with other risks that a company faces—up from the 29% who did so in 2014.  And 63% of boards clearly set out their risk management approach in their annual reports.

Boards are also more likely to explicitly set their appetite for cyber-risk than in previous years. One third (33%) had this “clearly set and understood,” an improvement on the 18% who did so in 2014.

Further, 16% of boards have a very clear understanding of where the company’s key information/data assets are shared with third parties—up from 11% in 2014. And about half (49%) of boards have a clear understanding of the potential impact of loss/disruption of key information and data assets. Gone are the days of cyber-security as “just a technical issue.” Only 15% of boards said they view cyber-risk as a technical topic that does not warrant board level discussions. This is a major improvement from the 26% in 2014 and 46% in 2013 who thought that way.

However, for all of that good news, it’s clear that it remains stubbornly difficult for boards to get good management information to support their risk discussions. Only a fifth (21%) of respondents said that they received “comprehensive, generally informative” management information on cyber-threats, while 17% received “very little insight.”

“Cyber-attacks continue to pose a growing threat to business,” David Ferbrache, technical director in KPMG’s cybersecurity practice. “While cyber-security has made it onto the Board’s agenda, board judgements on risk are often based on incomplete and partial management information. Many boards believe they now have a handle on the issue, but can often focus on governance and driving compliance. Taken to extremes, this can stand in the way of a flexible and agile response to an evolving threat and actually increase risk.”

Frustratingly, for just over a half of boards (54%), cyber-risk is a subject that they hear about occasionally—either bi-annually or when something has gone wrong. This is a similar proportion to 2014.

“We need to guard against complacency,” said Ferbrache. “Cyber-security is getting boardroom time, but that is far from the end of [the] journey. Businesses need to understand what their risk profile really looks like, and set their risk appetite in a way that it can be tested and monitored. Most of all, they need to understand how to improve the cyber-resilience of their organization and make sure they are ready to respond to a rapidly changing cyber-threat, quickly and confidently.”

He added, “Board members need to take collective responsibility for cyber-security and consider it in every aspect of the business. If they can do that, then perhaps cyber-security will become mainstream and a vital component of doing business in our digital world.”

InfoSeccutity-Magazine:

« The Death of the Password Is Upon Us
The Use Of Intelligent Deception in Cyber Security »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

BCS, The chartered Institute for IT

BCS, The chartered Institute for IT

BCS provides IT professionals with up to date and relevant certifications enabling them to manage IT security effectively within their budget.

GTB Technologies

GTB Technologies

GTB Technologies is a cyber security company that focuses on providing enterprise class data protection and data loss prevention solutions.

Cyber Security For Critical Manufacturing (ManuSec)

Cyber Security For Critical Manufacturing (ManuSec)

Cyber Security For Critical Manufacturing (Manusec) is a global series of summits focusing on Cyber Security for Critical Manufacturing Sectors.

StationX

StationX

StationX is a leading provider of cyber security training, consultancy and services.

AuthenTrend

AuthenTrend

AuthenTrend provide biometric authentication products to achieve high security with extreme ease-of-use for the user.

Quick Heal Technologies

Quick Heal Technologies

Quick Heal Technologies is a leading IT security solutions provider focused on endpoint and network security solutions.

CloudVector

CloudVector

CloudVector's API Detection & Response platform is the only API Threat Protection solution that goes beyond the gateway to provide Shadow API Prevention and Deep API Risk Monitoring and Remediation.

VectorRock

VectorRock

Save Your Business From Cyber Criminals. We specialize in uncovering cyber risks which threaten your organization and fixing them.

Ibento Global

Ibento Global

Ibento organises the CyberX series of cybersecurity conferences.

Numen Cyber Technology

Numen Cyber Technology

Numen Cyber Technology is committed to becoming a Threat Discovery and Response expert for corporate customers.

SeeMetrics

SeeMetrics

SeeMetrics is an automated cybersecurity performance management platform that integrates security data and business objectives into a simple interface.

E-CQURITY (ECQ)

E-CQURITY (ECQ)

ECQ is a network security company offering offensive security services and solutions focused on active offensive and defensive positioning.

IT.ie

IT.ie

IT.ie are a comprehensive provider of Managed IT Services, Cloud Solutions, Cyber Security, and proactive IT support services.

C5 Technology

C5 Technology

C5 Technology specialises in the provision of networking, security, and infrastructure services to enterprises and government agencies.

403Tech Inc.

403Tech Inc.

403Tech is a Calgary based IT Solutions Provider, specializing in small & medium business.

DevOcean

DevOcean

DevOcean, the leader in Cybersecurity Exposure Remediation, helps organizations cut through the chaos by automatically consolidating, prioritizing, and streamlining fixes.