Image

Recognition, Respect for, and Response Strategies for Digital Security Incidents
Overall, most UK businesses understand the importance of their information and data assets. More than half (52 percent) of the survey's respondents said they have an acceptable understanding, while 43 percent said their comprehension is clear. As such, it's not surprising that 57 percent of respondents said they have a clear grasp of what the loss of or disruption to these assets would mean for their ability to conduct business. No doubt this knowledge led fifty-four of Boards to identify digital risk as a top or "group-level" priority. Still, not all organizations appear to be doing everything they can to stay on top of digital threats. Less than a third (31 percent) receive comprehensive informative management information about these risks. Fifty-three percent of participating businesses get some information, and slightly less than that (46 percent) don't review or challenge reports about their customers' data security.Image

"With customer data being a valuable and frequent target for cyber attackers, it is important for Boards to take the lead in securing the data of their company’s customers. Failure to do so could have considerable reputational costs for businesses, while also potentially resulting in fines for the loss of customer data."Most businesses take these costs seriously, which is why 90 percent of survey participants said they have incident response strategies in place. Fortunately, the Board plays a major or minor role in 17 percent and twenty-seven percent of those organizations' plans, respectively. But only 28 percent of businesses with IR policies have trained their Board members on incident management.
Image

"Having a Board member trained to handle a cyber incident sends a positive message throughout a business on the importance of being prepared to handle such problems. Businesses should therefore consider designating a Board lead on cyber incidents, or facilitating training for all Board members if deemed necessary."As far as the future is concerned, it's encouraging to see that all but three percent of participating organizations are at least "slightly aware" of the General Data Protection Regulation (GDPR), which takes full effect in May 2018. That being said, most businesses could do more to familiarize themselves with the regulation. Seventy-one percent of businesses are just somewhat prepared to meet the GDPR compliance requirements, for example, with many concerned about an individual's right to personal data deletion. Additionally, only 13 percent of organizations said they consider the GDPR regularly; more than two in five companies' Boards have heard about it at most twice.
Image
