Boardroom study exposes worrying attitudes to cyber security
Cyber security study reveals lack of boardroom governance across the UK’s major industries
Four in ten boardroom executives in the telecoms, utilities, financial services and retail sectors believe a cyber security breach is likely at their organisation in the next 12 months.
In a study of 150 board members in the UK, commissioned by CGI, respondents estimated the average cost of lost data over one year would be £1.2 million.
Incorporating economic analysis from the Centre for Economics & Business Research, the study found the telecoms and utilities sectors are the most exposed to cyber threats.
Almost 30% of the executives surveyed still viewed cyber security as an IT issue, with only 35% believing their board as a high level of expertise in the subject.
>See also: The 2016 cyber security roadmap
Worryingly this figure drops to just 23% for non-executive directors, suggesting the traditional role played by them to offer ‘constructive challenge’ isn’t effective when it comes to managing cyber security risk.
Less than half of respondents were confident in the IT security advice they receive today. Whilst boards in these key sectors rely on externally sourced cyber expertise for 15% of their requirements on average, 68% confirmed they plan to increase reliance on external consultants over the next few years.
The research confirmed that high-profile breaches have encouraged 81% of UK boardrooms across the economy’s key sectors to increase cyber security scrutiny.
However, cyber security only appears on the agenda of 48% of these boards ‘every few months’, with many covering it less than twice a year.
Across the sectors surveyed, respondents said they currently assign ultimate responsibility for cyber security to CEOs (38%) and CIOs (31%) in the vast majority of cases, with specialist CISOs being empowered at just a handful of firms (3%).
CEOs are the preferred choice for B2B companies, whilst CIOs are overwhelmingly responsible at B2C firms.
Perhaps reflecting a loss of confidence following recent high-profile incidents, the telecoms sector sees itself lagging behind others with the lowest level of boardroom cyber security expertise.
Just 29% of telecom boards are viewed as having a high degree of expertise, whilst firms in this sector hold sensitive data with an average estimated value to the company of over £42 million.
Relative to other key sectors of the economy examined, telecoms respondents were also the least confident about the risk of attack this year – with 52% believing their company was likely to experience a significant breach in the next 12 months.
Perhaps in response, 76% of the respondents in this sector said they plan =to increase their use of external cyber security expertise. On average, the sector plans to increase cyber security investment by boosting technology and personnel spend by 12% this year, compared to 7% in sectors such as retail and insurance, which perceive cyber risk to be less urgent.
The utilities industry is also at relatively high risk, with boards discussing cyber security least often – in 40% of utilities firms the issue makes the boardroom agenda just twice each year.
Companies in the sector hold sensitive data estimated at over £50 million on average but were found to be significantly behind other sectors in terms of having robust plans in place to handle a cyber event. Just one in five respondents confirmed their firm’s cyber crisis management plan is well developed.
This is surprising given that utilities firms have high resilience with good business continuity planning, perhaps showing a lack of maturity in the treatment of cyber security as a major business risk.
Utilities firms plan to increase cyber security investment by 14%, the second highest increase after banking, and over 70% of utilities boards plan to look to external consultants to support their plans over the next few years.
“UK boardrooms are struggling to get a handle on the cyber security issue,” said Andrew Rogoyski, UK head of cyber security at CGI. “Boards know it is a risk but are uncertain in their approach, often failing to prioritise spend on cyber security.
“Unless more is done to improve understanding and governance at the highest level, we can expect to see more high profile breaches.”