Study uncovers major lack of cybersecurity readiness in top UK boardrooms

68% FTSE board members receive no incident response training

Boards of companies on the FTSE 350 state that cybersecurity is a major concern, yet translating this into meaningful change in the office has proven challenging. A recent study by KPMG, done as part of the Government’s Cyber Governance Health Check, found that 54 percent of respondents place cyber attacks in the top risk group. A similar survey in conducted in 2014 found that only 29 percent of respondents felt the same way, an increase of 25 percent. Boards are also more likely to discuss cyber security internally than in previous years; only 33 percent of respondents in 2016 responded that they had “clearly set and understood” their assessment of cybersecurity threats. This number rose to 53 percent in the 2017 survey.

Despite a burgeoning focus on cybersecurity, companies are still lagging behind on implementation. Only two percent of respondents reported having received comprehensive training for responding to attacks, with 68 percent of respondents stated that they had not received any training at all. Ten percent of businesses did not report having any plan for responding to cyber attacks.

The spate of recent high profile attacks presents a “growing threat”, according to KPMG’s UK head of Cyber Security Paul Taylor.

While cyber security has cemented itself onto the board’s agenda, they often lack the training to deal with incidents. This is hugely important as knowing how to deal confidently with an incident in the heat of the moment can save time and money.

GDPR Readiness Shockingly Low

The report outlined further concerns, especially considering that the General Data Protection Regulation, or GDPR, will be in effect in less than a year. Seventy-one percent of businesses claimed to be partially prepared for the GDPR, yet only six percent claimed to be fully prepared for the impending demands. Furthermore, 46 percent of boards do not review and challenge reports relating to customer data security, although this figure improved by 15 percent since the previous survey a year prior. Forty-five percent of businesses reported that their greatest concern regarding GDPR compliance was responding to individual requests to delete personal data.

According to the 2016 report, only 39 percent of boards would review and challenge reports on their customer data security; this number increased to 50 percent in the latest survey. The percentage of boards that received informative and comprehensive management information grew from 21 percent to 31 percent. More boards now seem to understand how damaging losing access to data or losing it entirely can affect their businesses.

Only 49 percent claimed to have a clear understanding of the potential threats posed by cyber attacks in 2016, and this value rose to 57 percent. Still, a majority of boards, 53 percent, reported only receiving some information about cyber risks, and this number only dropped by four percent between the 2016 and 2017 surveys.