A UK Government survey has revealed that more than two thirds of companies say their directors have no training when it comes to cyber attacks, a growing threat to businesses.
Jon Geater, CTO, Thales e-Security is not surprised by the survey. “The results of this latest government survey are not altogether surprising but they are rather concerning given the recent proliferation of data breaches and cyber attacks. The year-on-year rise in cyberattacks should by now have caused boardrooms to recognise the dangers of hacking for companies’ bottom lines, reputation, customer retention and employee confidence.”
“The stakes are simply too high for organisations to stand by and wait for an attack to happen to them before introducing a sophisticated data protection strategy. A concerted focus on robust encryption and key management strategies needs to exist from the top down in companies of all sizes and across industries.
In order for companies to prevent the sensitive data from falling into the hands of a malicious hacker, and becoming tomorrow’s headlines, boardrooms need to ensure that cyber and data security feature prominently on their day-to-day agendas.”
Digital Minister Matthew Hancock has urged companies to wake up following attacks on various organisations, like the NHS, and to take advice and training from the National Cyber Security Centre.
The details of this cyber attack training failure are part of the government’s annual Cyber Governance Health Check. It further found that 54% of company boards said computer hacking was one of the main threats to their business. Despite this acknowledgement, 68% of them had no specific training to deal with a hacking incident.
Some progress has been made, however, with 31% of boards now receiving information about computer security risks, compared to 21% in 2015-16.
Geater sees the importance in this: “Awareness among executives is now absolutely critical in today’s digital age. While educating and upskilling every executive would be a Sisyphean task, every business needs C-Level functional leaders to take responsibility for keeping the business running in these difficult circumstances.”
“We have a long way to go until all our organisations are adopting best practice,” said Hancock.
Providing a concluding comment on this report, Marco Cova, senior security researcher at Lastline said: “While this is a somewhat worrying revelation, it’s definitely not surprising. Board members with diverse job functions within an organisation have struggled in the past to understand how serious a cyber-incident can be. While large-scale incidents like Not Petya may have gone some way towards remedying this, there is still something of a disconnect between the security team, the CISO, and the board. This is a problem which requires a top down solution, with the board and the CEO engaging more with how to respond appropriately to cyber incidents in order to set a good example for all employees below them in the business.”
The government’s survey also showed that only 6% of UK businesses are fully prepared for the new GDPR rules. With the new Data Protection Bill to be introduced to parliament shortly, and the GDPR taking effect from next year, there are real grounds for concern.
Simon Morrissey, partner and head of the Data and Privacy practice group at Lewis Silkin confirms that “GDPR preparedness remains patchy. Regulated businesses such as those in the financial services sector and US businesses with operations in the EU are ahead of the curve. However, there are many businesses who are either adopting a wait and see attitude due to concerns about the commercial disadvantage and cost of over-compliance, whereas other businesses are not doing enough on the grounds of cost cutting.”
“There are real risks for those businesses that don’t effectively prepare – financial as well as security. Unprepared businesses risk exposure to significantly increased regulatory fines together with multiple legal claims from affected individuals. In addition, there is the risk of reputational damage and the loss of commercial advantage to competitors who can gain trust and consumer confidence by demonstrating to their customers and clients that they are well placed to comply with the GDPR.”
Author – Nick Ismail