UK boardrooms are woefully unprepared to cope with cyber-threats, with only 2% of the UK’s largest firms offering comprehensive training to their executives, according to a new government report.
The Cyber Governance Health Check analyzes the state of security in FTSE 350 firms.
It found that although cyber-risk has been elevated to the top of the list in over half (54%) of organizations, much higher than the 2014 figure of 29%, training remained a challenge.
Over two-thirds (68%) of boardrooms polled claimed that they’ve not received any training to deal with a cyber incident, while 10% don’t even have an incident response plan in place.
What’s more, 46% of boards still don’t review or challenge any reports on the security of customer data. Although that figure has fallen by 15% from the previous study, it’s still a worryingly high proportion, given the coming GDPR.
In fact, only 6% of firms said they’re completely prepared for the sweeping new privacy legislation from Brussels, which will come into force in May 2018.
The right to erasure (right to be forgotten) is causing the biggest compliance headaches (45%).
In addition, less than a third (31%) of boards receive comprehensive management information related to cyber-risk, and just over half (57%) said they have a clear understanding of the potential impact of loss of, or disruption to, key info and data assets.
Rob Wilkinson, corporate security specialist at Smoothwall, argued that boardroom education on cyber-risk is vital given that most incidents occur through human error on the part of employees.
“Security is an issue that must be taken seriously by each and every company; whether you’re an SME as part of a wider supply chain, a large telecoms company or even an electricity firm, no company is immune to a hack or breach,” he added.
“In this vein, ensuring a strong security culture is instilled throughout the workforce is crucial to making sure staff are constantly vigilant and aware of the threats. If the top brass don’t pay attention to these threats, it’s not going to set a good example for the rest of the business’ employees.”