A couple of weeks ago, I wrote that the threat of cyber crime in a cloud-enabled world was real and increasing. I also asked, why are so many organisations still so vulnerable? If the issue isn’t being taken seriously, might that attitude be coming straight from the top? I then came across an article in Computer Weekly, “Cyber security study reveals lack of boardroom governance across UK industries”. The headline finding of a survey of 150+ board members by the Centre for Economic and Business Research (Cebr) – an independent provider of economic forecasts and analysis – is that while 81% of boardrooms said they’d “increased cyber security scrutiny” after the TalkTalk breach, just 53% said they had data breach management plans in place. So, nearly half of UK companies in key sectors did not have crisis management plans to deal with such data breaches. I find that difficult to fathom. You’d think cyber security would feature on their radar a little more, not least because those surveyed hailed from important areas of the UK economy including finance, retail, telecoms and utilities – the latter two being identified as the sectors most “at risk” in the UK economy?
And that’s not all. 48% of respondents to the Cebr survey said that cyber security features on their agenda only “every few months”. Many admitted the issue was covered less than twice a year. Only 9% of the IT budget was, on average, spent on preventing cyber attacks – indeed, almost 30% of respondents still saw cyber security “as an IT issue”. Who, I wondered, is advising these board members? The question is really one of boardroom governance and responsibility. Where does the responsibility rest, to protect the business from what are, after all, not exactly rare or unknown threats? You’d have thought gaining some working knowledge of the threat landscape and security risks would be high on the list of priorities in every single boardroom. Apparently not. The Cebr survey also found that only 35% of boardroom execs believed their board possessed “a high level of personal expertise in cyber security”.
This is strange, in that the information is out there – you don’t have to look very hard for it – and that experts, vendors and solutions are readily available to advise on cyber attacks and to help you better protect your businesses. This isn’t about IT: it’s about risk management, governance and control in 2016. Cyber security is a business issue and, should the worst happen, ignorance is really no defence for board members. We have been warned. And guess what? 38% of C-level execs surveyed also believed a cyber security breach at their organisation “was likely in the next year”.