© The Financial Times Ltd 2015 FT and 'Financial Times' are trademarks of The Financial Times Ltd.
Last updated: July 24, 2013 11:05 pm
The director-general of the domestic security service MI5 and the director of GCHQ, the intelligence listening post, are urging all FTSE 350 chairmen to take part in a “cyber governance health check”.
The Financial Times/ICSA Boardroom Bellwether survey recently revealed that four-in-five of the UK’s largest quoted companies were not prepared for cyber attacks, fuelling worries that businesses are not sufficiently vigilant about threats to their technology security.
Last October, the business department issued guidance on “10 steps to cyber security”, aimed at the senior management of large UK companies. But only one-in-eight of the company secretaries responding in the FT/ICSA survey said they had seen and acted on it.
The latest government decision is intended to ensure that cyber awareness goes all the way to the top of the company. The “health check” involves both the chairman of the company and the chair of the company’s audit committee completing a questionnaire intended to assess how well the company handles issues such as protecting intellectual property and safeguarding customer data.
The results from this “tracker” will be aggregated on an anonymous basis, to enable companies to see how they rate compared with peers.
David Willetts, the science minister, who signed the letter along with Andrew Parker of MI5 and Sir Iain Lobban of GCHQ, says the information “will give us a sense of how cyber-aware companies are, and what sort of risk assessment they have put in place”. He hopes to publish some overall data in October or November.
As online threats race up national security agendas and governments look at ways of protecting their national infrastructures a cyber arms race is causing concern to the developed world
The second stage of the “health check” will be detailed discussion with the company’s audit firm about areas in which a company may be particularly vulnerable.
In a sign of how seriously ministers and security chiefs are taking the move, they say chairmen should complete the cyber questionnaire themselves. “By delegating the completion of the Tracker (eg to your chief information officer), your results may overlook existing internal vulnerabilities linked to governance,” they write. They are also clear that even companies that believe they are on top of cyber security should take part.
The initiative was launched as Lakeland, the kitchenware retailer, said on Wednesday that its website had been compromised by a “sophisticated and sustained attack”.
The family-run chain said hackers gained access to two encrypted databases containing customers’ passwords, forming risks for people who also use those passwords for other websites.
The hackers exploited a flaw in Oracle’s Java software used on Lakeland’s website. “There but for the grace of God go many. Java has been a bit of a Swiss cheese recently,” says Paul Vlissidis, technical director at security provider NCC.
Security analysts praised Lakeland for disclosing the hack, which occurred on Friday. To do so is not required by law at present – but it would be, under proposed changes to the EU’s data protection rules.
Copyright The Financial Times Limited 2015. You may share using our article tools.
Please don't cut articles from FT.com and redistribute by email or post to the web.
Sign up for email briefings to stay up to date on topics you are interested in