While cybersecurity isn’t new, what is new is the rapidly growing business dependence on networked systems and the Internet, coupled with the rapidly evolving cybersecurity threat landscape and the value that is at stake for companies in today’s digital-first world. High-profile incidents coupled with increasing government focus are raising awareness of the extent and potential impact of cybersecurity breaches.
Globally, boardrooms are working to get a handle on the cybersecurity issue to avoid the occurrence of more high profile breaches. According to a new study into boardroom attitudes of cybersecurity conducted by CGI in the UK in conjunction with the Centre for Economics and Business Research (Cebr), boards are taking cybersecurity more seriously with planned increases in scrutiny, investment and external advice.
This flagship research surveyed 150 C-level and boardroom business leaders from the UK’s largest companies (1,000+ employees) across the commercial sectors of retail, banking, insurance, utilities and telco. These businesses estimate that if their most valuable data were lost or corrupted, the average total cost over a one year period would be £1.2 million.
Other findings include:
- Over 1/3rd of UK C-suite executives believe a cybersecurity breach will affect their organization in the next 12 months.
- 81% of UK boardrooms across key sectors plan to increase cybersecurity scrutiny.
- Less than half of UK boardrooms are confident in the IT security advice they receive today.
- 68% of boards plan to rely more on external cybersecurity consultants.
- Almost 30% of UK boardrooms in the key sectors of telecom, utilities, finance and retail still view cybersecurity as an IT issue with, on average, only 35% of boardroom executives believing their board has a high level of personal expertise in cybersecurity.
Based on Cebr’s analysis, it is also clear that the telecom and utilities industries in particular must accelerate these efforts, which is consistent with recent UK, U.S. and European government action to improve the protection of critical national infrastructure.
CGI’s UK study offers 7 recommended steps to improved cybersecurity governance that can be applied to organizations across Europe and around the world:
- Appoint a senior executive at the board level to be responsible for cybersecurity with the authority and know-how to address the risks.
- Include cybersecurity on every board agenda, reporting on risk to the business, nature of sensitive data and mitigation progress, at a minimum.
- Treat cybersecurity as a company-wide business risk and assess as you would with other key business risks, encouraging a discussion about risk appetite, risk avoidance, risk mitigation and cybersecurity insurance.
- Ensure that the company understands the rapidly developing legal landscape that applies to cyber risk, including the emerging European legislation in the form of the general data protection regulation (GDPR) and the Network and Information Security Directive (NISD).
- Get specialist expertise to advise and inform the board, whether from internal teams or external advisors.
- Set a program of work to manage cyber risk, allowing a realistic time and budget.
- Demand improved security from your IT suppliers, including products, systems and services.
CGI encourages a debate about how boards can take positive steps to improve levels of governance as a means of reducing exposure to cyber risk. I invite you to view a summary infographic of the key findings.