Today the government has published their annual FTSE 350 Cyber Governance Health Check which assesses and reports on cyber security risk management in the UK’s 350 largest firms.
The main findings were:
- Many boards still don’t fully understand the potential impact of a cyber-attack
- Less than a fifth (16%) of boards have a comprehensive understanding of the impact of loss or disruption associated with cyber threats
- This is despite almost all (96%) having a cyber security strategy in place
- Additionally, although the majority of businesses (95%) do have a cyber security incident response plan, only around half (57%) actually test them on a regular basis
Expert Comments below:
“According to the Skybox Vulnerability and Threat Trends Report 2019, last year saw a 12 percent rise over 2017’s total of number of vulnerabilities identified. While only a small number of these vulnerabilities will be exploited in the wild, it’s still the responsibility of the organisation and its security team to have full visibility of their attack surface – something that’s becoming increasingly difficult as technologies like cloud and IoT further fragment the cybersecurity environment. If you have limited visibility of where your risks are, it’s impossible to know how to protect yourself. This is the situation that many business leaders find themselves in today.
“The inertia on testing cybersecurity strategy might not be due to a lack of desire for stringency, but rather because of a lack of understanding about how rapidly the threat environment can change. New forms of malware, ransomware etc. are created every single day. Without regular testing, any plans in place will become out-of-date incredibly quickly. If organisations don’t properly monitor and test their cybersecurity incident response plan, they might as well not have one at all.
“It’s likely that the cybersecurity skills crisis has a hand to play here – it’s a sobering truth that there aren’t enough skilled cybersecurity professionals, which means that many organisations simply don’t have the capacity to maintain their cybersecurity incident response plan. In this case, automating the testing of cyber-defences is a must. They need to look for tools which can automate change management processes, give full visibility of the hybrid network and offer the internal and external threat context that they need to prioritize mitigation.
“The threat from cybercriminals is real and present. Without understanding this, our businesses are left teetering on a cliff edge. If they don’t want it to crumble away before them, they need to build the necessary barriers to cybercrime as soon as possible.”