The elephant in the boardroom - NCC Group · Cyber security is the elephant in the boardroom. To better understand why, we questioned executives of large businesses on their understanding

The elephant in the boardroom

Cyber risk is the greatest threat to modern business.

It seems that not a week goes by without a headline in the mainstream press about a company being hacked, or experts claiming the cost of cyber crime to the global economy is either billions or trillions.

And yet most businesses are yet to truly understand and own the risk. Boards educate themselves on the likes of audit and health and safety, but seem to assume that cyber threats should be a risk owned by someone with a technical skillset.

However, when you look at the damage – both monetary and reputational – a compromise can cause an organisation, it becomes clear that ignorance of the risk amounts to negligence on behalf of the board.

Cyber security is the elephant in the boardroom. To better understand why, we questioned executives of large businesses on their understanding and management of cyber risk. This paper details the results of that survey of 200 UK board directors, commissioned by NCC Group and carried out by research consultancy ComRes.

At NCC Group we are committed to improving board-level knowledge and management of cyber security across the globe. Earlier this year we were the first listed company in the UK to create a Cyber Security Committee, led by a senior non-executive director. We urge other listed and large organisations to do the same, and would be delighted to talk to any businesses interested in following our lead.

If you have questions on any of the issues raised in this paper, do not hesitate to get in touch.

September 2016

Rob Cotton CEO, NCC Group plc

01© NCC Group 2016

One trend that has been clear over the last ten years is the growing acceptance by executives that cyber crime is a significant risk. The latest FTSE 350 Cyber Governance Health Check Report*, released in May 2016, is a good example of this, with respondents tending to display a better understanding of the threats compared to previous years.

This is something we found to be the case in our research too, with an overwhelming majority of respondents claiming to have a cyber security strategy in place.

A strategy that takes into account an organisation’s specific profile and looks at both technical controls and human risk is the right first step. What’s crucial though is to not see this as static, but something that’s continually updated to respond to evolving threats and changes to a company’s digital infrastructure.

Our findings show that most directors do ensure their strategy is ‘live’, with four-in-five claiming to review and update their strategy once a year or more.

Although the 6% with no cyber security strategy need to address this issue immediately, these first two findings are encouraging. However, with this assurance comes the potential for complacency. From our experience working with thousands of businesses, only a select few in the most cyber-mature industries are truly prepared to deal with the threats they face. But the vast majority of executives think they can handle the risk - with 83% of respondents believing their organisation is sufficiently prepared to deal with the threats they face.

However, this finding reveals an element of delusion. Any executive that is willing to say their organisation is essentially immune is complacent. Again – from years spent working with organisations on security we can confirm this simply isn’t true. Ironically, the main reason for this is a lack of true board level ownership.

What we read into these findings is that executives are starting to get a better understanding when it comes to cyber security, but we’re yet to be convinced that behaviours have truly improved yet.

Directors are starting to understand the risk

02© NCC Group 2016

believe that their

organisation is

sufficiently prepared

to deal with cyber

security threats

NEXT UPDATE IN 365 DAYS

82%

83%

of executives claim to

review and update their

cyber security strategy

once a year or more

93%of board directors say their business

has a cyber security strategy in place

* Cyber Governance Health Check 2015/16: https://www.gov.uk/

government/publications/cyber-governance-health-check-201516

Businesses call for greater cyber scrutiny

03© NCC Group 2016

In general, the UK doesn’t yet have the regulatory teeth of some other jurisdictions when it comes to cyber security. Although the Information Commissioner’s Office (ICO) does commendable work in investigating data protection cases, it doesn’t have the resources or power to motivate organisations into making cyber security a board-level issue that is afforded the right level of attention and investment.

The financial sector is the anomaly. The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) have both made cyber security a priority, and subsequently the financial sector is one of the most cyber-mature.

For all UK businesses, the General Data Protection Regulation (GDPR) from the European Union (EU) is due to come into force in May 2018 which enforces stricter rules in terms of data protection on companies operating within and trading with the EU. These include significantly larger fines for data breaches (up to four per cent of global turnover) and other features including mandatory breach notification. Although the UK’s long-term relationship with the EU is currently unclear, it is likely that in the UK will have to adopt GDPR or at least develop its own equivalent legislation.

With this on the horizon, our research found that a somewhat surprising number of board directors want greater penalties for companies that fall down on security.

Businesses opening themselves up to greater scrutiny is a good sign. It is a reflection of the growing awareness of the severity of the risk posed by cyber crime. There are still over a quarter of businesses that don’t think lower security standards should be a punishable offence, but the fact that a sizeable majority do is a sign of real progress.

This same sentiment was echoed in regards to the actions of regulators.

Although we asserted that directors are still likely underestimating the scale of the cyber risk and the level of their defences, it is positive to see the business community call for a greater level of oversight and scrutiny.

71%

77%

agree companies should

be penalised for failing

to meet basic cyber

security requirements.

agree that regulators

should take a tougher

stance against

companies that

are found to have

insufficient cyber

defences

Smaller companies edging ahead in cyber maturity

04© NCC Group 2016

It might be assumed that the larger the company, the better the cyber defence. In some cases this is true.

The bigger the business the more budget available to spend on security (in theory). And, some large institutions are typically among the most mature from a cyber perspective – particularly finance organisations.

However, that isn’t necessarily true across the board and our research found some interesting disparities when the data was cut by turnover.

Table-top scenarios are a great way of testing an organisation’s response to a potential breach. Engaging in these regularly is typically a good measure of maturity.

These findings may be due to smaller companies taking more ownership at board level for cyber security. Larger companies may still feel it can be delegated to an audit committee rather than the main board. Given the potential impact of a successful cyber attack, this could well amount to negligence on behalf of the board.

Smaller companies are also making more use of the Government resources available to them – such as the ‘Ten Steps To Cyber Security’ guide, the ‘Cyber Essentials’ scheme or ‘Cyber Streetwise’.

Again, this likely shows boards of smaller companies actively engaging more with cyber risk than their larger counterparts.

of directors from £100m+

turnover businesses

have not personally read

or used Government cyber

security tools and schemes,

compared to just 12% of those

with a turnover between £20m-£49.9m.

25%

97%

46%

of directors from

£100m+ turnover

businesses have

never ran through

a cyber scenario.

of directors from

companies with a

turnover of £20m -

£49.9m have sat through

a table-top cyber security

scenario in the last

year, compared to 66%

of those with a turnover

of over £100m.

05© NCC Group 2016

Board directors will always have to wrestle with the threat of cyber crime. As businesses move more of their operations online the scope for attackers will grow.

With this in mind organisations must act on this research and make changes. Yes, awareness of the risk appears to be high and board directors at least acknowledge it as something they need to address. But executives are still much better educated on health and safety, audit and CSR. The threat posed by cyber crime needs to be elevated above these issues on the board agenda.

Until boards take true ownership of the risk – with the CEO having ultimate responsibility – the business appreciation for the level of cyber resilience won’t be suitable for a modern governance regime.

Conclusion

06© NCC Group 2016

NCC Group commissioned leading consultancy ComRes to carry out the research detailed in this paper.

ComRes interviewed 200 board directors at UK companies with 500+ employees between 24 August 2016 and 15 September 2016.

Methodology

Full data tables may be viewed at: www.comresglobal.com

© NCC Group 2016

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape.

Headquartered in Manchester, UK, with more than 35 offices across the world, NCC Group employs over 1,800 people and is a trusted advisor to 15,000 clients worldwide.

0161 209 [email protected]@nccgroupplcwww.nccgroup.trust

About NCC Group