Research: UK firms at risk of cyber attacks

Latest KPMG report on FTSE 350 firms reveals lack of clarity around security policy at board level is leaving them vulnerable

UK firms still have a challenge ahead if they are hoping to counter cyber attacks on their business, according to research from KPMG.

This is mainly down to a lack of communication between boards and management tiers in FTSE 350 companies, with 74 per cent of firms believing that their boards were taking cyber security seriously, but the results proving otherwise.

According to the results, 61 per cent of board members questioned believed they had an acceptable understanding of their company’s key information and data assets, with a further 55 per cent saying they knew the consequences of losing it.

However, just 24 per cent said they regularly reviewed risk management around valuable company information and data assets. And a worrying 65 per cent said they rarely or never did so.

Another point emerging was that members of the FTSE 350 were lacking in direction about who should ultimately be responsible for cyber security. A total of 16 per cent said responsibility should lie with the CEO, and 31 per cent said it was the CFO who should take charge. Just 15 per cent said the CIO.

Malcolm Marshall, global leader of KPMG’s cyber security practice, said: “Cyber security may be moving up the board agenda but clear communication between boards and management remains patchy at best. Regular board engagement on this issue is critical to ensuring companies remain alert to this growing threat.

“Alarmingly, just 39 per cent of board members saw cyber risk as an operational risk when comparing it with other threats their companies face. This is a clear indication that boards have some way to go to understanding the consequences that a cyber attack can have on the brand and bottom line.”

Despite worrying signs, one trend that emerged in the research was a leap in the number of companies conducting third-party pre-contract due diligence over the past 12 months. A total of 44 per cent of respondents said they conducted due diligence before signing contracts, up from seven per cent the previous year; and 48 per cent said they included clauses in their contracts covering cyber risk, up from 33 per cent.

Marshall added: “It’s fantastic to see such a huge jump in the number of companies pushing suppliers to review their cyber security as, with each link in the supply chain being tightened, the chances of a breach diminish. It’s also clear that steps can be taken in a short space of time if organisations work together, giving real genuine hope of progress for companies of all sizes.

"However, focusing on contractual obligations alone isn’t enough. Board members need to take collective responsibility for cyber security and consider it in every aspect of the business. If they can do that, the baby steps made to date will turn into huge strides on the path towards great cyber security.”