Few of the UK’s largest listed companies regularly consider the cyber threat to their business, yet most think their board members take this risk very seriously, according to a survey carried out by the business department.
The findings also suggest that even when the main board does talk about how to protect the company from technological attack, the discussion is not always particularly well informed.
The business department believes that corporate cyber security would be better if those responsible for it come under increasing scrutiny from the very top of a company.
Most respondents – chairmen and the chairmen of audit committees of FTSE350 companies – said the board had only a “basic” or “acceptable” understanding of the company’s key information and data assets.
However, three in five respondents thought that the board took cyber threats very seriously, though one in five thought fellow directors did not take it seriously enough.
One in five said board discussion of cyber risks was based on “very little insight” – a higher proportion than said it was founded on robust and comprehensive management information.
Just three in 20 said the board looked at cyber threats on a regular basis.
And one in four said the board had a poor understanding of the way in which the company shared its key information assets with others, such as suppliers, outsourcing companies and advisers. Some advisory groups said that when they pitched for new business, they were increasingly being pressed about their own cyber security arrangements as companies registered the cyber threat that they may face through third parties.
“Boards need to be well informed, asking the right questions and driving mitigation measures which help their companies successfully navigate the risks and seize the opportunities presented by cyberspace – for example, what critical data they hold and where, and who has access to it,” the business department said.
“Companies should talk to their suppliers about cyber security. To support business we are working with industry to develop an official “cyber standard”, which will allow companies to demonstrate they are serious about cyber security, and therefore a good business partner.”
Despite the gaps in knowledge that the survey reveals, only a minority of companies are active in enabling directors to acquire new skills in this area. Three-quarters of those replying said they had not had any cyber security training in the past 12 months, while four-fifths said none of their colleagues on the board had received that sort of training.
David Willetts, science minister, said: “The cyber crime threat facing UK companies is increasing. Many are already taking this extremely seriously, but more still needs to be done.”
The survey is part of the business department’s efforts to sharpen corporate awareness of cyber crime. In July, security chiefs put their names to a letter urging the chairmen to take part in the “cyber governance health check”.
Get alerts on Cyber warfare when a new story is published