The UK Government has released the Cyber Governance Health Check (CGHC) 2015 which shows that FTSE 350 companies are beginning to understand cyber security. The report was released on the same day the UK Government lambasted businesses telling them that they needed to do more to protect against cyber security attacks.
In the forward to the report Ed Vaizey, Minister of State for Culture and the Digital Economy says: “This report shows company boards are improving their understanding of cyber risks and taking them more seriously than ever before.” Yet read through the questions and responses and while there has been progress it is patchy and still far from enough given the current threat situation.
How well do company boards understand the threat?
To understand the threat to its business a company must understand what is at stake. This is not just what its digital assets are but also what its value is to criminals and competitors. The latter is increasingly important as there has been an uptake in industrial espionage and criminals after financial data to manipulate stock prices. Surprisingly the number of boards deemed to have an acceptable understanding (60%) and those with a clear understanding (32%) of their assets and their value is down slightly on last year.
By comparison there is an increase in understanding of the impact on the business of a security breach. Although the number with an acceptable understanding (47%) was down on 2014, the number with a clear understanding (49%) was up substantially. With legislation such as the EU General Data Protection Regulation (GDPR) due to come into force with serious consequences for data breaches, this is good news.
There is mixed news when it comes to understanding privacy and reviewing risk. The number of companies who regularly review assets, be that thoroughly or somewhat thoroughly is up on 2014. Unfortunately so is the number of companies that rarely review their assets. The aforementioned GDPR and other upcoming legislation from Europe is heavily focused on privacy. There is a serious need for boards to improve their understand of the data they hold and the risks of holding that data.
Third party sharing of data
No company operates in a vacuum and as IT departments begin to open up systems to partners, be they customers or suppliers, data is flowing out of companies and into third-party systems. Few companies bother to validate the security of their partners and interestingly this report asked: “How has your company addressed Cyber Risks with its suppliers and other relevant third parties?”
The responses here showed a significant improvement over last year. From contract clauses to audits of third parties and the requirement to be members of certification schemes such as the Government Cyber Essentials Scheme, the numbers were up. But that isn’t the whole story. While due diligence and contractual obligations are improving there is a mixed response when it comes to understanding what is being shared.
Less than 18% of boards have a very clear understanding of what is happening with shared data and less than 48% have a basic or acceptable knowledge. Worryingly the number of boards with a poor understanding rose to over 20%. This is not about understanding the minutiae of what is shared but the risk to the business of what has been shared.
The key questions here are about liability and negligence and it is unclear what the current legal position would be should a supplier have a serious data leak. This is an area where cyber insurance policies could be used to require better disclosure and information around data sharing.
There is much more in this report which in places shows confusion or a lack of attention to detail. One could argue that it is not the role of the board to manage details, but where those details could be business threatening, such as a fine of 5% of global turnover under the GDPR, boards do have a fiscal duty to shareholders and the company to seek out better data.
It will be interesting to see how or even if organisations such as the CBI or the IoD respond to this report. After all, it is their members who are being criticised here. It is also possible to make the case for non-executive directors being given more statutory powers to request access to data when it is business critical. However, many would argue that the lack of skills that non-executive directors possess when it comes to cyber security means they would not necessarily understand what to ask for or even how to interpret it when they receive it.
While the cyber health of FTSE 350 companies is improving and not quite on life support this report does not instil massive confidence that boards are on top of the problem. The question going forward is how many will continue to invest in improving security if the gains are so slow to come by.