UK FTSE 350 boards need cybersecurity wake-up call

According to a recent report by the UK Government, boards at some of the UK’s biggest companies still don’t fully understand the potential impact of a cyber-attack.
5 March 2019

City of London At Sunset. Source: Shutterstock

The Government’s Cyber Governance Health Check looked at the approach of the UK’s FTSE 350 companies with regards to cybersecurity in 2018 and netted some surprising results.

According to the report, just 16 percent of boards have a comprehensive understanding of the impact of loss or disruption associated with cyber threats.

This statistic is even more surprising given that 96 percent of them have a cybersecurity strategy in place. Moreover, 95 percent of them have a cybersecurity incident response plan at the ready, while only 57 percent of them test them on a regular basis.

“The UK is home to world-leading businesses, but the threat of cyber-attacks is never far away,” said UK Digital Minister, Margot James.

She said that companies are aware of the risks, but more needs to be done by the boards to make sure that they don’t fall victim to a cyber-attack.

James feels that cybersecurity should never be an add-on for businesses, and she urges executives to work with the National Cyber Security Centre (NCSC) for advice and training.

It is heartening to note that 72 percent of respondents acknowledge that the risk of cyber attacks is high, which is a big improvement from the earlier figure of 54 percent in 2017.

“Every company must fully grasp their own cyber risk, which is why we have developed the NCSC’s Board Toolkit to help them,” said Ciaran Martin, CEO of the NCSC.

Martin is adamant that cybersecurity is a mainstream risk, and board members need to understand it in the same way they understand financial or health and safety risks.

Another red flag unearthed in the report is that almost 77 percent of FTSE 350 businesses are not recognizing the risks associated with businesses in the supply chain.

The supply chain is increasingly becoming a target for cyber-attacks, as identified in the NCSC report back in 2017.

Unfortunately, only 23 percent are aware of the risks and 64 percent of them do not recognize the risks associated with all types of software.

The NCSC recommends that businesses use ‘flow down requirements’ for minimum security standards in contracts with suppliers.

Thankfully, according to the statistics, around 67 percent of companies report that they use contractual terms as an enforcement mechanism with their suppliers.

Meanwhile, more work is being done to improve the cyber-resilience of business, with a new project announced to help companies understand their level of resilience.

The cyber resilience metrics will be based on a set of risk-based principles to allow firms to measure and benchmark the extent to which they are managing their cyber risk profile effectively.

All in all, these findings highlight the need for all businesses, regardless of size, to understand that constant vigilance and proactiveness is needed to stay ahead of cyber-attacks in an ever-evolving threat landscape.