The Government’s latest annual cyber health check gives a mixed report of how the UK’s leading companies are prioritising and managing cyber risk.
Cyber does now seem to be a board level issue for most - nearly all of the companies that responded to the Government’s survey have a cyber strategy in place. Board understanding around cyber risk and organisational assets is also on the rise. However, more action is needed to fully embed cyber security into organisations. Only 12% rated board understanding of their information, data and systems as fully comprehensive, and 77% did not recognise supply chain risk (a growing area of cyber risk as supply chains become more complex) beyond those they contract with directly.
So what can organisations do to improve their cyber response? Increased understanding is key. This means having a proper understanding of what cyber risk means to your business (operationally, reputationally, in respect of regulation, board responsibility etc.). Does your board (not just your IT team) understand your business’s critical data assets/systems and the potential impact from loss or disruption to these? Do you properly test your incident response plan? And while it is great to have a cyber strategy, to be effective it must align to your business objectives - something a third of organisations are still failing to do. For more information on the results of the cyber health check, and the practical steps your business can take, see our briefing “Taking the pulse: what we can learn from the latest FTSE 350 Cyber Health Check”.
Although board understanding of cyber security has been increasing steadily since the FTSE 350 Cyber Governance Health Check began, many boards have yet to understand cyber risks in the same way or to the same extent they understand financial risks, or health and safety risks