A UK government report highlighting a significant lack of board-level cybersecurity awareness among FTSE 350 members has been dubbed “alarming” by a senior cybersecurity professional.
The report, published today, found that only 16% of boards have a full understanding of the impact and disruption associated with cyberattacks, despite 96% having an established cybersecurity strategy.
“It’s alarming to see that the boards of the UK’s biggest businesses don’t understand the impact of cyberattacks, especially given that the impact of a serious attack is absolutely proven to impact revenue, reputation and even individual jobs,” said Jason Hart, CTO of Data Protection at Gemalto and former ethical hacker, in response to the news.
Furthermore, the report found that while 95% have a cyberattack response plan in place, only 57% regularly test it, meaning for many it is likely to prove ineffective in the event of a real incident.
“Of course these organisations will have a cybersecurity strategy in place, but if the business doesn’t understand it – let alone test it – it may as well not be there,” added Hart.
Awareness has increased
While the situation is still poor, it is an improvement from the UK government’s report from 2017.
72% of boards now acknowledge the risk of cybersecurity threats is high, compared to only 54% in the previous year.
“This report shows that we still have a long way to go but I am also encouraged to see that some improvements are being made,” said Margot James, UK Digital Minister.
“Cybersecurity should never be an add-on for businesses and I would urge all executives to work with the National Cyber Security Centre and take up the government’s advice and training that’s available.”
Board-level cybersecurity awareness must improve
Given the damning impact a cybersecurity incident can have on an organisation, it is imperative that board-level cybersecurity awareness is improved further.
“We know that companies are well aware of the risks, but more needs to be done by boards to make sure that they don’t fall victim to a cyberattack,” said James.
This is not just a matter of growing understanding, but also ensuring the right people are present at board level.
“They must ensure that business strategy is closely aligned to the cybersecurity strategy by ensuring CISO, or equivalent, representation at the highest level – the boardroom,” said Hart.
“The CISO must in turn be situationally aware of the threat landscape, what needs to be protected and have an understanding of how businesses work in order to be effective.
“On the other hand, business leaders such as the CEO must understand the value of cybersecurity to their business, as it is ultimately their responsibility should a breach occur. Until this balance is achieved UK businesses can’t expect things to improve.“