A poll out today from ICSA: The Governance Institute has found that almost 60% of organisations polled have faced increased exposure to cyber risk in the past 12 months, with 77% of boards now regarding it as a board issue.
“Cyber crime is one of the fastest growing crimes in the UK,” says Peter Swabey, policy and research director at ICSA: The Governance Institute, “and it is imperative that boards pay cyber risk adequate attention. It is reassuring to see that 72% of the organisations that responded to our poll do, but it is worrying that 14% do not. It is also of concern that 16.5% of organisations polled feel that their board regards cyber risk as purely a problem for IT.”
Although cyber risk is principally dealt with by the Audit Committee in some organisations, respondents disclosed that it is increasingly on board members’ radar.
Some of the ways in which boards are getting to grips with cyber risk is through training sessions on cyber security, and through regular updates.
Considered by some organisations to be one of their highest rated enterprise risks, there is increased vigilance and strategic planning with companies taking various steps to mitigate the risk, such as:
- Regular testing, awareness and security and ‘in case all else fails’ insurance.
- Risk management plans.
- Encryption of key personal data.
- Increased use of software and tightening of parameters of monitoring software used.
- Employee briefings to raise staff awareness.
Questioned about what further support the government or the various regulators could give to companies to help deal with cyber risk, responses were varied, with some considering that it is not necessarily a government or regulatory responsibility beyond raising awareness and providing information about cyber crime.
Others felt that the cyber police force should be increased, that criminal law could be tightened to make it a more serious crime and that there should be increased intelligence and pressure on foreign governments.
“One potential area of concern flagged up was the opinion that NHS trusts might be over reliant on central NHS systems and controls. I would advise all organisations, whatever the sector, to regularly review their systems and controls,” suggested Swabey.
“Organisations might like to consider inviting experts in to breach their systems as this highlights any weaknesses and allows organisations to step up security as necessary. Also, staff training is essential. Cyber risk is a company-wide risk, not just an IT one and the weakest point is usually one individual.”