More than half, 57pc of FTSE 100 companies disclose in their annual report regular testing of overall crisis management, contingency or disaster recovery plans, according to an audit firm. However, just 20pc disclose details of specific cyber risk testing, such as ‘ethical hacking’, to find vulnerabilities in their IT systems, says Deloitte.
Phill Everson, head of cyber risk services at Deloitte UK, said: ”Would-be hackers look for weaknesses in a system to gain access, so testing remains vital in ensuring strong cyber resilience. The 20pc of companies that disclosed testing for these vulnerabilities in our analysis demonstrate to investors that the company has ways to continually and proactively test for flaws, whilst also showing commitment in fixing them if identified.
“As we see GDPR regulations introduced from May 25th this year this becomes even more important as they require regulators to be notified within 72 hours of a breach. In preparation, companies will be looking at their processes for delivering security updates to the right people in a timely manner. However, with just two months to go to GDPR, our analysis shows there is still some work to do. Just 21pc of companies disclosed in their annual report that they provided cyber security updates to the Board on a regular, monthly to bi-annual, basis. However, greater disclosure of this in reports could identify more companies doing so.”
Despite those few FTSE 100 companies providing security updates to their board, most, 89pc recognise cyber as a ‘principal risk’ and identified a number of consequences in the event of a breach. Of the impacts noted, disruption to business and operations was of greatest concern, flagged by 70pc, followed by data loss (58pc). Reputational damage and financial loss were also identified by 56pc and 54pc of companies, respectively.
Everson added: “An area that has had less recognition in the past is the insider threat, but it is mentioned by 23 companies this year. 17pc of companies this year identified malware as a threat, up from 12pc last year. In future we expect to see more companies go into greater depth on their strategies to mitigate against employee risk and the threats posed by malware.
“Elsewhere, we are also seeing companies provide more clarity on who is internally responsible for cyber risk. Over the last two years, one in five companies disclosed the creation of a brand new role or body to have overall accountability on cyber. This shows that companies are upgrading their approach to match the raised level of threat. This brings the total number of FTSE 100 companies with a clearly identified person or team with cyber security responsibility to 38, but we would like to see 100pc, and expect investors would as well.”
By comparison, just 5pc of companies last year disclosed having a member of the board with specialist technology or cyber security experience. This has gone up to 8pc this year, a figure matched by the number of companies that also disclose having a Chief Information Security Officer (CISO) in the executive team this year.
Comments
Pete Banham, at email and cyber security product company Mimecast, said: “Organisations must focus on analysing their business for weaknesses to prevent undue risk exposure. The upcoming GDPR regulation will inform how sensitive data can be collected, stored, searched and found. This is where the real workload lies for organisations. An ‘archive-all’ culture means organisations don’t always know what lurks in their vast pools of unstructured data such as email messages and attachments. A compromised system can leave an organisation in breach of new regulations.
“It has never been more imperative for businesses to implement a cyber resilience strategy. This should include strong methods of protection, combined with a reliable archive and recovery strategy for data that will ensure uninterrupted access and use of vital systems like email in the event of a breach.”
And Rob Norris, VP Head of Enterprise and Cyber Security EMEIA at Fujitsu said: “There are no two ways about it – cyber-crime is a board level issue and business leaders should be proactive in getting to grips with how their organisation is defending against these attacks. Every organisation, be it public or private, is vulnerable. And with our latest report revealing that a fifth of the UK public believe cybercrime and hacking are the biggest challenges facing the UK today, the nation has an obligation to make data protection as much of a priority as the public, who are regularly asked to hand over financial and other personal data.
“Many organisations will be using cyber threat intelligence (CTI) as an early warning system to help identify and block potential threats before they escalate and become problems. But with the skills gap affecting IT departments in particular, the board should be made aware if their organisation is in need of additional support, and this can only come from regular security updates.
“However, a reluctance to reveal cyber security plans more externally can often be explained. Whilst the forthcoming GPDR will require organisations be honest when a breach takes place, forcing companies to disclose details of specific cyber risk testing may be more difficult as it can allow hackers to understand what defences a company has in place.
“In short – if organisations are to remain ahead of their competitors and stay trusted in the eyes of the consumer – companies need to ensure they are at the very least reporting openly and honestly about their cyber risk testing to the board. After all, cybercrime is not a probability – it is an inevitability. And the way everyone in the business – from graduate to senior leaders – prepare for it can make all the difference.”
