With high profile data breaches and ransomware attacks in 2017, awareness of cyber risk among senior management has been increasing. However, growing concern has yet to translate into higher board level engagement and improved cyber risk governance, according to a recent survey of over 1,500 UK businesses.
Published by the Department for Digital, Culture, Media & Sport, the Cyber Security Breaches Survey 2018 found that UK businesses are increasingly reliant on technology. Virtually all UK businesses represented in the survey now rely on some form of digital communication or services while 60% use cloud computing.
Yet cyber risk is ever present - four in ten businesses surveyed have experienced a data breach or cyber attack in the last 12 months. The incident rate increases for larger companies and those that hold personal data – 72% of large firms suffered an attack or a data breach in the past 12 months, while almost half of all companies that hold personal data have experienced an incident.
Unsurprisingly, awareness of cyber risk is high among business leaders. Three-quarters of all businesses surveyed say that cyber security is a high priority for their organisation’s senior management, rising to 89% for large companies. In fact, fewer companies now say that cyber is a low priority, while more small businesses say it is a higher priority than in the 2017 survey (up from 33% to 42%).
Unfortunately, while the majority of senior managers prioritise cyber security, this is not always matched by action or engagement from senior management teams, according to the survey.
Despite many organisations stating that cyber security is a high priority, and given the importance of board-level support for cyber security, it is disappointing to see that just 30% have board members with responsibility for cyber security, almost unchanged on the 29% in the 2017 survey.
The findings are, however, more encouraging for larger companies, where staff or board members with responsibility for cyber security increases to 48% for medium-sized and 62% for large companies. There has also been progress since the 2017 survey, with large businesses in particular more likely to have board level cyber security responsibilities than before – just 40% did so in 2017.
The most common reason given for not having board responsibility is that cyber security is not considered enough of a priority to warrant such measures (for 31% of the businesses, up from
last year’s figure of 20%). The second most common reason was that the organisation is too small (a quarter of small businesses gave this response), followed by the belief that the firm is not at risk (21%).
Just over half (56%) of all businesses update their senior managers on cyber security issues at least quarterly, or with every breach, increasing to 66% for medium-sized and large companies. However, one in five businesses overall never update their senior managers on cyber security issues. These findings are similar to the 2017 survey, although the report found signs of a “shift” towards more regular engagement with senior managers – 8% of managers are being updated on a daily basis versus 4% in the 2017 survey.
The report also noted that where senior managers were seen to be interested in cyber security, those responsible tended to feel more empowered to take action. It also found businesses that took more action on cyber security tended to see it as complementing existing strategic priorities, such as business continuity, balance sheet protection and reputation.
According to the Cyber Security Breaches Survey, it is still relatively uncommon for businesses to document cyber security risks and approaches. Across all businesses, just 27% have a formal policy covering cyber security risks, down 5% on the 2017 survey.
Only 13% of businesses have a cyber security incident management process in place while just 35% of businesses have specialist staff dealing with cyber security, increasing to 62% for medium sized firms and 76% for large companies. Large firms are generally more likely to have a formal policy and to have their cyber security risks documented. Some 59% of medium-sized companies and 74% of large businesses have a formal cyber security policy.
More than half of all businesses (56%) say they have taken some form of action to identify cyber risks to their organisation, a similar finding to the previous year’s survey.
Only 24% of businesses of all sizes carried out a cyber risk assessment in the past 12 months, while investing in threat intelligence is especially uncommon across businesses (just 8% did so).
Only 12% of businesses require their suppliers to adhere to any cyber standards, in line with both the 2016 and 2017 surveys. Although 37% of larger businesses do.
The report believes that organisations could do more around training and awareness raising, documenting risks and adopting good-practice technical controls. Only a fifth of businesses have conducted cyber security training in the last 12 months, although this rises to 65% for large firms.
Interestingly, given the role of human error in many data breaches, less senior and non-IT roles are less likely to receive cyber security training. Some 72% of businesses say that directors or senior management staff attended training in the past year compared with just 25% of other non-IT staff.
The Cyber Security Breaches Survey findings complement research conducted by the Harvard Business Review for JLT, which highlighted the need for a more strategic approach to cyber risk.
The research also found high levels of awareness of cyber among US businesses was not matched by preparedness – only 39% of large organisations said that they were well prepared despite 65% recognising cyber as a significant threat to their reputation.
In particular, the study found that many organisations are not approaching the issue strategically to create effective, cross-functional responses to this business risk. As a result, few organisations are achieving “maturity in cyber security,” which includes training all levels of the organisation, including employees and first-line leaders, to detect and respond to risks; establishing a strategic plan for cyber security; and incorporating cyber security into the organisation’s vision and risk appetite statements.
The survey found that 25% of large businesses now have a specific cyber insurance policy in place, although only 9% of all companies surveyed purchased cyber insurance. For organisations that do not purchase cyber insurance, 43% said that the risk does not warrant it while 22% were not aware of the existence of cyber insurance, how to take up a policy, or why they might need cyber insurance.
Some organisations also felt that they already had adequate funds to cover a cyber loss while others said they would prefer to invest money in preventing a breach rather than paying for insurance.
Download Cyber Decoder Newsletter
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org