Published: 21st July 2019
Area: Assessment & Strategy
But a different survey – this time of IT professionals – has shown that, while their bosses are confident, they themselves are deeply worried.
Awareness
A UK government survey of cybersecurity in big business shows that management’s awareness of the threat posed by hackers targeting their companies is on the increase. Almost three quarters of those surveyed reported their boards saw the risk of cyber threats to be high or very high in the list of all threats they faced.
The FTSE 350 Cyber Governance Health Check of 2018 showed 96% of those surveyed had a cybersecurity strategy in place. But it also showed that less than half (46%) had backed the strategy with any kind of budget.
Of more concern was the admission that just 16% claimed to have a comprehensive understanding of the potential loss and disruption they would face if a cyber threat turned into a real attack.
Incident response
The vast majority (95%) claimed to have established a cybersecurity incident response plan, but only 57% could report that they tested it on a regular basis.
Just one in five boards were able to confirm they had undertaken a crisis simulation on cyber risk in the previous 12 months.
Deeply worried
A separate survey of 1,500 IT professionals established that, while board members and top management felt in control, the techies are deeply worried about the threats they face.
Just 15% said they felt confident in the cybersecurity capabilities of their employers. In a similar survey the previous year, 80% of tech professionals said they were worried that confidential data might be vulnerable to attack.
Growing danger
Said Charlotte Riley of CSS: “How can these two viewpoints co-exist? Is it that board members are happy to be told they have an effective cybersecurity policy in place without actually testing it? Or is it that the IT professionals they employ have a better understanding of the growing danger surrounding them?
“There is no doubt that the threat of cyber attacks is growing, as is the range of platforms which can be used to launch attacks. Gone are the days of just making sure your own internal systems are protected – your PCs and servers – now you have to think about your cloud storage and the use of smartphone and IoT devices if they have access to your data.”
Making changes
But how do you go about making changes to plug the gaps in understanding between board and employees?
One suggestion would be the appointment of a chief information security officer (CISO). Apart from co-ordinating cybersecurity for the firm a major part of his role would be the education of board members and top management on the degree of risk they face.
GDPR should be another motivating factor because, if the worst comes to the worst, ultimate responsibility for the potential devastating consequences of a successful attack would rest with the board.
Serious consequences
Said Charlotte Riley: “Maximum fines of €20 million or 4% of annual turnover are just the start. Depending on the scope of the attack and the severity of the data breach there could be serious consequences for the continuing future of the company with an unstoppable exodus of business partners and customers alike angry about the exposure of their private information.
“Once the cat is out of the bag it would be impossible to get it back in again without some serious damage and the buck would most definitely stop on the desks of the big bosses.”
Sources:
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/783263/FTSE_350_Cyber_Governance_Health_Check_2018.pdf
https://www.zdnet.com/article/cyber-security-why-bosses-are-confident-and-tech-workers-are-scared/
https://www.zdnet.com/article/cyberattack-planning-is-still-depressingly-poor-even-in-big-businesses/