The damage wrought by the WannaCry and NotPetya malware outbreaks highlights the importance of organizations taking steps to strengthen their digital security defenses. But in the shadow of such high-profile attacks, the state of organizations' security postures remains unclear. Do most companies understand the importance of their information and data assets, for example, and do they have an incident response plan in place should they suffer a digital attack? To help answer those and other questions, the UK government has once again surveyed FTSE 350 companies traded on the London Stock Exchange about how they're addressing digital security risk. A total of 105 companies participated in the study, known as the FTSE 350 Cyber Governance Health Check Report 2017. Those that did are increasingly elevating matters of digital security risk to the board level. All the same, it appears some could still do more to prepare for the possibility of a digital security incident.
Recognition, Respect for, and Response Strategies for Digital Security Incidents
Overall, most UK businesses understand the importance of their information and data assets. More than half (52 percent) of the survey's respondents said they have an acceptable understanding, while 43 percent said their comprehension is clear. As such, it's not surprising that 57 percent of respondents said they have a clear grasp of what the loss of or disruption to these assets would mean for their ability to conduct business. No doubt this knowledge led fifty-four of Boards to identify digital risk as a top or "group-level" priority. Still, not all organizations appear to be doing everything they can to stay on top of digital threats. Less than a third (31 percent) receive comprehensive informative management information about these risks. Fifty-three percent of participating businesses get some information, and slightly less than that (46 percent) don't review or challenge reports about their customers' data security.
FTSE 350 Cyber Governance Health Check Report 2017 page 16 Organizations that don't receive complete digital threat intelligence and don't at least review reports on their customers' data are playing a dangerous game. As the UK government explains in its report:
"With customer data being a valuable and frequent target for cyber attackers, it is important for Boards to take the lead in securing the data of their company’s customers. Failure to do so could have considerable reputational costs for businesses, while also potentially resulting in fines for the loss of customer data."
Most businesses take these costs seriously, which is why 90 percent of survey participants said they have incident response strategies in place. Fortunately, the Board plays a major or minor role in 17 percent and twenty-seven percent of those organizations' plans, respectively. But only 28 percent of businesses with IR policies have trained their Board members on incident management.
FTSE 350 Cyber Governance Health Check Report 2017 page 19 The UK government feels this lack of adequate Board training does disservice to a business:
"Having a Board member trained to handle a cyber incident sends a positive message throughout a business on the importance of being prepared to handle such problems. Businesses should therefore consider designating a Board lead on cyber incidents, or facilitating training for all Board members if deemed necessary."
As far as the future is concerned, it's encouraging to see that all but three percent of participating organizations are at least "slightly aware" of the General Data Protection Regulation (GDPR), which takes full effect in May 2018. That being said, most businesses could do more to familiarize themselves with the regulation. Seventy-one percent of businesses are just somewhat prepared to meet the GDPR compliance requirements, for example, with many concerned about an individual's right to personal data deletion. Additionally, only 13 percent of organizations said they consider the GDPR regularly; more than two in five companies' Boards have heard about it at most twice.
FTSE 350 Cyber Governance Health Check Report 2017 page 23
Making Changes
The UK government's FTSE 350 Cyber Governance Health Check Report 2017 provides an excellent snapshot into how organizations value their digital security. It also underscores important ways by which companies can strengthen their security defenses. These strategies include developing an incident response plan, reviewing digital threat intelligence on a regular basis, training the Board on how to manage a security event, and elevating regulations like the GDPR to the level of regular Board business. To read more insights from this year's survey, please download the report here.