Posted on September 14, 2017 by staff

FTSE 350 boards ‘lack cyber incident training’


The majority of board members at FTSE 350 companies now recognise cyber security as a key issue but this isn’t reflected in the training that management receive in dealing with cyber incidents, new research has claimed.

A survey carried out by KPMG as part of the government’s Cyber Governance Health Check has revealed that more than half (54 per cent) of businesses place cyber risk as a ‘top group risk’ when compared with other potential threats that a company faces. This is a significant improvement from the 29 per cent who did so in 2014.

The study also shows that boards are now more likely to debate and agree their tolerance for cyber risk than in previous years – more than half have this “clearly set and understood”.

However, the survey found that training in how to deal with cyber security issues and threats is still lagging.

More than two thirds (68 per cent) of those surveyed have not received any training to deal with a cyber incident. More worryingly, 10 per cent of companies admitted to not having a plan in place to respond to an incident.

“Board members need to take collective responsibility for cyber security and consider it in every aspect of the business,” Martin Tyley, KPMG’s head of cyber for the North, said.

“If they can do that, then perhaps cyber security will become mainstream and a vital component of doing business in our digital world.”

Tyley warned that the aftermath of a cyber-attack, without the appropriate training in managing the issue, can result in “reputational damage, litigation and blunt competitive edge”.

The KPMG report also found that, with General Data Protection Regulation (GDPR) less than a year away, 46 per cent of boards still do not review and challenge reports on the security of their customer’s data. However, 71 per cent of businesses describe themselves as ‘somewhat prepared’ to meet the requirements.

Tyley said: “It’s worrying that with less than a year to go, many organisations still have a lot to do. GDPR will affect organisations in the UK and worldwide that have any dealings with consumers and businesses in EU member states.

“The regulation sets a new bar for customer and client privacy expectations, but the truth is that many just don’t understand what they have to do and how to deal with it.”