Monday’s Government survey of Britain’s FTSE 350 companies has revealed some worrying statistics. The report analyses how the boards of the UK’s largest businesses deal with cyber security and data protection challenges. When it comes to the results of the 2017 FTSE 350 Cyber Governance Health Check report, however, it is difficult to decide which figures should be the cause of greatest concern.
Is it the fact that two-thirds of FTSE 350 boards have not been trained to deal with cyberattacks? Or that 10 per cent have no response plan in the event of a cyberattack and over 40 per cent have no clear understanding of what impact an attack might have on them? Or, given the fact that the General Data Protection Regulation (GDPR) becomes law on 25th May 2018, is it the fact that only 6 per cent say they are completely prepared for the new data protection rules?
Of course there will be individuals within each of these companies who have specific responsibility for information security and compliance. In larger companies these will probably be Chief Information Security Officers (CISOs). But the fact that the report identified boards rather than CISOs reflects the importance of top level engagement to support and resource this important work.
Large fines, such as those imposed on TalkTalk may be going some way to putting information security to the centre of board agendas. But it is worth pointing out that when GDPR comes into effect next year, the Information Commissioner’s Office (ICO) will have the authority to impose fines that are 79 times higher than under current data protection legislation. This will take the monetary value of data protection fines to another level and make board level responsibility even more of a necessity. Boards cannot simply delegate responsibility to a data protection officer (DPO) or the CISO. Every member of the board must buy in to the cyber security process and support those on the front line of cyber defence and data protection compliance.
By developing a board-level strategic approach to cyber security and data protection, it is possible to build a robust defence against cyber criminals and stay on the right side of GDPR. SRM has experience and expertise in all areas of information security and works with every size and type of business from FTSE 350 companies to SMEs, charities and government organisations. We are able to both advise at board level and manage the process on the front line. Our approach is collaborative and is tailored to the specific requirements of the individual organisation.
If board level engagement provides support and resource for the challenges ahead, there is every chance that the 2018 FTSE 350 health check will bring better news.