Evalian Cyber Governance Health Check Blog

Cyber Governance Health Check 2018

By Georgina Donovan - March 17th, 2019 Posted in Information Security

As part of the UK’s National Cyber Security Strategy, the Department for Digital, Culture, Media and Sport, carry out a yearly Cyber Governance Health Check on the top 350 FTSE 100 companies. This acts as a barometer for how corporate Britain views and is responding to the threat of cyber security, it is also a useful tool to promote good practice among companies outside of the FTSE 350.

As a case in point, 11% of businesses responding to the 2018 Cyber Governance Health Check, reported that they have been the target of a major cyber-attack which caused disruption to their business operations in the last 12 months. These businesses were not characteristically similar illustrating that embracing the threat of Cyber Security is imperative for all.

We’ve taken some of the key findings from this report to highlight the areas that all companies should be addressing to improve their Cyber Governance.

Cyber Governance starts with the Board

The impact of a cyber incident can be catastrophic for a corporation, negatively impacting their customers, reputation and share price.  It is the role of the Board to mitigate risk as part of its governance and cyber threats form part of this risk management.

Despite this requirement, according to responses to the 2018 Cyber Governance Health check, only 16% of businesses feel that their board has a comprehensive understanding of the impact of loss or disruption associated with cyber threats, indicating that the understanding in this area needs to be improved.

Only 16% of businesses feel that their board has a comprehensive understanding of the impact of loss or disruption associated with cyber threats

But is this a surprise? Board members are not necessarily technical people and are unlikely to know the detail of cyber security and why should they? Their role is oversight at a corporate level. They should be able to rely heavily on the information provided to them. The quality of this information and the way in which it is presented is key and this relies on the skill of the Cyber Information Security officer (CISO). We recommend that awareness briefings for executives should be a key part of your information security awareness programme.

Chief Information Security Officer (CISO)

The role of the Chief Information Security Officer or CISO is wide ranging. They will analyse and understand data flows throughout the business, translate the information in to areas of cyber security risk as well as implement procedures and employee training at every level of the organisation.

At Board level, a major breach could put jobs at risk, so it will want to understand the bigger questions such as; are our defences working? have we had any breaches? did we deal with them sufficiently? if not, why not and how can we change that?

It takes a talented communicator to translate highly technical language into ‘Board speak’,  so it comes as no surprise that feedback from the audit firms that carried out the 2018 Cyber Governance Health Check, suggests that some boards “may not be getting the data they want, presented in context, with an experienced or evidence-based understanding of the impact”.

Only 35% of businesses taking part in the survey have a CISO that reports directly to the Board

What is shocking is that only 35% of businesses taking part in the survey have a CISO that reports directly to the Board. With Boards from nearly two thirds of the 350 FTSE 100 companies not having direct contact with their CISO, one wonders what quality of information they are basing their cyber governance decisions on?

In some businesses its may be difficult to justify a full-time CISO. This is why we and others offer outsourced and virtual CISO services.

Is your Cyber Security Strategy fit for purpose?

A Cyber Security Strategy is used to co-ordinate the entire organisation in the prevention, mitigation and response to a cyber security threat. It highlights where risks are prevalent and the consequences of failure of individual systems, networks and databases, should they be affected by a cyber-attack.

96% of businesses had a Cyber Security Strategy but only one third aligned it to their business objectives

To be truly effective, the Cyber Security Strategy must be aligned with business objectives and KPI’s must be embedded in employee performance metrics.   Although a positive 96% of businesses responding to the survey have a Cyber Security Strategy in place, approximately one third of those companies have not aligned their strategy to their business objectives. For these companies, the importance employees place on cyber security is likely to be inconsistent and leave them more vulnerable to cyber-attacks.

You’ve got a Cyber Incident Plan, does it work?

When a cyber threat occurs, time is critical so it’s important that everyone understands their role as part of the response, this is where the Cyber Incident plan is actioned. Key elements of the plan include a risk assessment, a list of stakeholders and a communications plan. The plan should be reviewed and tested regularly. Our recent blog on this this subject is a good starting point when preparing your plan.

Carrying out a realistic exercise is a vital part of the plan and one that is often neglected.  A cyber threat is unpredictable, the situation changes frequently and is highly pressurised, it’s important that an exercise recreates these conditions. This can be done by testing a range of scenarios, issued under time pressure with ‘injects’ (new information that changes the scenario, injected throughout the exercise).

Just under half of businesses surveyed did not test their cyber incident plans regularly

Although 95% of respondents have a cyber incident plan in place, it’s of concern that just under half of businesses surveyed do not test their plans regularly. This almost certainly leaves them exposed to longer-term damage if a cyber threat occurs. Our consultancy services can help you to prepare your incident response plan and our incident response exercises can test your plans and help your incident response team to rehearse various scenarios they could face.

Do your suppliers take Cyber Governance as seriously as you do?

As the saying goes, ‘you are only as strong as your weakest link’, it doesn’t matter how well you secure your own networks and systems, you are still vulnerable to cyber threats through your third-party suppliers. The supply chain is an increasingly popular entry point for hackers targeting large corporations whose own networks are well secured.

As such, the supply chain should be included in all the above elements of maintaining Cyber Security. Whilst the majority of boards (73%), in the 2018 Cyber Governance Health Check, recognise the cyber risks posed by supply chains at a first-tier level (third parties), suppliers at second tier level (fourth party) and beyond are flying under the radar. The report reveals that just over three quarters of 350 FTSE companies do not recognise the risk further down the supply chain.

The report reveals that just over three quarters of 350 FTSE companies do not recognise the risk further down the supply chain

Companies in the second tier comprise those that are not contracted directly by or are even visible to the lead corporation. The survey reported that for this tier, only (23%) of businesses recognise the risk. Systems should be put in place through supplier contact agreements and realistic resources should be allocated to ensure the entire supply chain can be managed, monitored and audited regularly. If you need help to assess, audit and manage security risks in your supply chain, we can help.

Take the following steps to improve your Cyber Governance

As technology and business connectivity evolves, cyber security measures must do the same and it is the role of the corporation to protect all of its stakeholders. The 2018 Cyber Governance Health Check reveals that even the top 350 FTSE companies have room for improvement.

In the very least, companies large and small should take the following steps to ensure Cyber Governance:

  • Implement a Cyber Security strategy which is aligned with the business objectives.
  • Ensure the CISO reports directly and regularly into the Board. Ensure the CISO clearly communicates information that is aligned with business objectives.
  • Recruit Non-Executive Directors with a technology background.
  • Develop an Incident Response Plan and run regular exercises under ‘realistic’ conditions.
  • Monitor the ‘entire’ supply chain including suppliers contracted through third parties.

Further advice and support on all  the key elements of cyber governance are available from the  National Cyber Security Centre (NCSC) Board toolkit15.

Need help or want to chat?

If you need help preparing your cyber security strategy, need assistance with Board awareness, require CISO support or incident management planning and testing services then we’d love to hear from you and we promise no hard sell. You can contact us here.

ENQUIRE NOW