The implementation of the GDPR last year has stimulated much greater discussion of cyber security at board level a report by the Department of Culture, Media and Sport has revealed.
Their 2018 Cyber Governance Health Check of FTSE 350 companies (the fifth such report) found that 77% of them reported increased board discussion and management of cyber security since implementation of the GDPR, with more than half of these businesses also introducing increased security measures as a result.
This was one of eleven broad findings set out in the report of which a couple of others stand out:
- many respondents fail to appreciate the risks in the supply chain with only 23% aware of the cyber risks associated with businesses that are not directly contracted by the business (fourth party and beyond), leaving them particularly vulnerable to such threats.
- 11% report that they have experienced a major cyber attack or incident causing disruption to business operations in the last 12 months.
The report also reiterates some good practice points to help reduce cyber risks as summarised below:
- increase the skills and knowledge of existing board members
- consider recruiting non-executive directors with a technology background
- consider nominating an individual director to take lead responsibility for cyber security risk management
- use the NCSC Board toolkit which covers the fundamental aspects of cyber security
- ensure that a Chief Information Security Officer (CISO), or an appropriate staff member, is able to clearly communicate information about cyber security to the board in a way that is aligned with business objectives
- test cyber incident plans regularly to check they are fit for purpose, and consider subjecting them to an external audit
- take the NCSC illustrative real-world examples of supply chain attacks into consideration to improve awareness and understanding of the risks