Case Study
CLIENT: Department for Science, Innovation and Technology and Digital, Culture, Media and Sport.
The Brief
The UK Government’s National Cyber Security Strategy is a five year plan to protect the nation in cyber space and create a UK fit for the digital age. The annual FTSE 350 Cyber Governance Health Check has been an important part of the strategy since 2013. The FTSE 350, the country’s leading 350 companies, have an important role to play as leaders in the UK economy, particularly in terms of influencing the actions of companies within their supply chains. The Health Check is therefore a barometer of how corporate Britain is responding to the ongoing challenge of cyber threats.
Winning Moves was commissioned to conduct the fifth Cyber Governance Health Check in 2018.
The Solution
Winning Moves was first tasked with critically reviewing the questionnaire that had been used in previous iterations in order to make the questionnaire more robust and increase the validity of the data collected. The critical review resulted in new questions being added to the survey and changes to some of the wording used in the existing questions, although the changes were made with the objective of being able to compare the findings in 2018 with previous years.
The survey explored the following key areas:
- The level of understanding that boards of directors have regarding cyber security in terms of their perception of the risk and understanding of business-critical information, data and assets
- The boards’ engagement with cyber risk information
- The board’s involvement in incident management in terms of whether they have incident response plans in place and the extent to which those plans are tested and verified as being fit for purpose
- Whether boards recognise the risks associated with businesses in their supply chain and software, and how businesses are enforcing cyber security in their supply chain.
The list of FTSE 350 businesses was sourced from the Telegraph and downloaded on 12th August 2018. The list included all businesses that had been on the FTSE list within the previous 12 months, but only those that are audited by one of the four audit firms of Deloitte, EY, KPMG and PwC, resulting in a list of 367 businesses.
The survey was set up on an online system which could be accessed by both audit firms and the businesses. The four audit firms approached the businesses that were their clients and encouraged them to complete the survey.
The Outcome
The 2018 Health Check found that boards were continuing to make progress in acknowledging, understanding and responding to cyber threats, and there was a positive trend towards improved governance. Almost three quarters (72%) of businesses perceived cyber threats as very high or high risk in comparison to other risks that the business faces, which was an increase from 54% of businesses in 2017. Encouragingly, the majority of businesses (96%) had a cyber security strategy in place.
However, it was also found that there was scope for improvement in terms of assessing and dealing with risks in the supply chain, and testing incident response plans to ensure they continue to be fit for purpose. Furthermore, less than half of businesses have a dedicated budget for cyber security.
The findings from the 2018 Health Check helped to highlight the need to improve the understanding that businesses have regarding their assets across multiple locations and the importance of the supply chain in a business’ overall security. As a result, the government will continue to support businesses through the Cyber Skills Immediate Impact Fund, as well as through the wider guidance and support that it offers, to help boost the skills needed for a growing and secure digital economy.
A comprehensive report of the findings was produced and published. The report provides industry sector-specific findings where relevant and includes advice and guidance for businesses to improve their response to cyber security threats.
The report can be found here.