Boardroom awareness of cyber risk is growing, but companies still not doing enough

Side view of two blurred businessmen talking in conference roomThe FTSE 350 Cyber Governance Health Check Tracker Report 2015 found that 88% of companies include cyber risk in their risk register, and 92% of boards have a clear or acceptable understanding of the value of their companies’ critical information and data assets. Unfortunately, only 24% of companies base their cyber risk discussion on comprehensive or robust management information. Furthermore, 65% of boards rarely or never review their key information, data assets and personal data to confirm the legal, ethical and security implications of retaining them.

Asked if their company is doing enough to protect itself against cyber threats, nearly half of all respondents answered negatively and admitted that there is more they need to do.

The survey explores the views of about 100 executive and non-executive board members (the majority of which were the chair of the audit committee). It also revealed that:

Cyber security has a significant impact on shareholder value

Asked about the risk factors that apply to their company, 66% of respondents said that their shareholder value was significantly dependent on securing critical information assets, up from 54% in 2013.

Cyber risk is important to the business

The majority of board members take cyber risk very seriously. 53% of respondents believe it is of moderate importance to the business and 36% say it is extremely important to the business.

The majority of companies address cyber risks with their suppliers

48% of all respondents use contract clauses to address cyber risks with suppliers and 44% use pre-contract due diligence. 33% of companies audit third parties, while 25% require self-assessments from third parties. 24% of respondents, however, did not know what methods their companies use to address cyber risks in the supply chain.

Boardroom cyber security training has improved

In 2014, 48% of audit chairs had undertaken some form of cyber security or information security training, up from 29% in 2013. 40% of respondents said board members other than the audit chair had undertaken cyber security or information security training in the previous 12 months, up from 22% in 2013.

Understanding of personal cyber risk profile is low

75% of audit chairs believe that their board members have a limited understanding of their own personal cyber risk profile (how to avoid being a target of an electronic attack). Only 17% claimed that the board has a full understanding and 5% rated it as poor.

Improving cyber security with ISO 27001

Boards should advocate adopting international best practice in all business areas, but even more so in information security. Implementing an internationally recognised standard such as ISO 27001 can provide chief executives with peace of mind that the organisation’s information security management process is up to scratch and their business is better protected against cyber threats.

ISO/IEC 27001 sets out the requirements for developing, implementing and improving an information security management system (ISMS).

Crucially, the risk assessment process sits at the core of ISO 27001. The accuracy of the risk assessment is critical as its outcome drives information security management. In turn, this helps boards better understand the risks and their implications for the organisation’s information assets.

Get_a_lot_of_helpIT Governance has developed a specially formulated combination of essential tools and resources to get you started with an ISO 27001 project, even if you have no prior experience of ISO 27001.

The ISO 27001 Get A Lot Of Help package provides you with guidance from an ISO 27001 implementation specialist throughout the project, without the associated expenses of hiring a consultant to do all the work.

Contact IT Governance today to request a brochure or to discuss your implementation needs with one of our advisors on +44 (0)845 070 1750.