71% of UK board directors want companies to be penalised for failing to meet basic cyber security requirements, according to new research from global cyber security and risk mitigation expert NCC Group.
In what appears to be a sea change in business opinion, over three quarters (77%) believe that regulators should take a tougher stance against companies that are found to have insufficient cyber defences.
NCC Group commissioned research consultancy ComRes to survey 200 board directors from UK companies with over 500 employees. The Group has released its ‘Elephant in the Boardroom’ report on the day its CEO, Rob Cotton, delivers a keynote at the Institute of Directors Annual Convention on the growing cyber threat to businesses.
Commenting on the findings, Cotton said: “Cyber security is the greatest risk facing modern business. For years it hasn’t been taken seriously enough in boardrooms across the country and while these results don’t prove that it’s now being managed appropriately, they do show that directors are realising that greater scrutiny and oversight from regulators and government will stimulate the necessary action and help drive-up standards. This can only be a good thing for businesses and consumers alike.”
Elsewhere in the research, 48% of respondents see cyber threats as a bigger risk to business than market volatility. In this post-Brexit landscape this underlines that cyber security is being taken more seriously than in the past, but it still doesn’t go far enough, according to Cotton.
He continued: “We work with thousands of organisations and see up close how they manage cyber risk. Only the most mature have true board-level ownership and focus their efforts on resilience – knowing that attacks will happen and prepare accordingly. Too many companies are still adopting an ‘it won’t happen to us’ attitude and passing the risk to the IT department or outsourcing it to third parties. That could amount to negligence.”
Other findings in the report provide insight into how much directors in the UK truly engage with cyber risk. One in five respondents have not conducted a table-top cyber scenario, and 30% haven’t used or read the Government’s resources and schemes to help businesses defend against cyber attacks – such as the 10 Steps To Cyber Security guide, the Cyber Essentials scheme or the Cyber Streetwise campaign.
Cotton concluded: “Board directors educate themselves on health and safety, audit and CSR. They become experts in these areas because ultimately the responsibility lies with them. But this isn’t yet the case with cyber security, and that’s ultimately where we need to get to. Unfortunately we’re still a long way off.”