UK Boards Are Growing Less Concerned About Cyber-Risk

Far fewer board members of UK companies are worried about cyber-risk than their global peers, according to a new study from Proofpoint.

The security vendor’s second annual Cybersecurity: The 2023 Board Perspective Report is compiled from interviews with 659 board members at organizations with 5000 or more employees, across 12 countries and different sectors.

It found that just 44% of UK board members are concerned about cybersecurity risk, down significantly from 76% last year. This is compared to 73% of global board members who feel at risk of a material cyber-attack, a figure which rose from 65% in 2022.

In addition, fewer business leaders in the UK are concerned about the security risks posed by generative AI tools like ChatGPT than their global counterparts (41% vs 59%).

Read more on CISO-board alignment: #InfosecurityEurope: CISOs Must Be Better Marketers and Negotiators

Part of the reason for this disparity may be poor communication between board members and their CISOs. Just 43% of UK leaders said they interact with security bosses regularly, down from 55% last year. Only two-fifths (39%) said they see eye-to-eye with their CISO versus 74% of CISOs who said the same, according to the report.

This lack of alignment is clear from other data in the report. While UK directors ranked malware (35%), cloud account compromise (33%) and ransomware (33%) as their top concerns, most CISOs chose email fraud/BEC (34%), insider threat (30%), cloud account compromise (30%) and smishing/vishing (30%).

Fewer UK board directors (56%) than CISOs (78%) feel that human error is their biggest risk.

Andrew Rose, resident CISO, EMEA at Proofpoint, warned UK business leaders that material cyber-risk is still very real and continues to evolve. 

“Establishing and nurturing strong board–CISO partnerships is more critical than ever, and this is certainly not a time to grow complacent,” he added.

“Boards must continue to invest heavily in improving preparedness and organizational resilience. This means pushing for even deeper, more productive conversations with CISOs to ensure directors are making informed, strategic decisions that drive positive outcomes.”