Cyber security: Board members lack incident response training

More than two thirds of board members at FTSE 350 companies have received no training on how to react to a cyber security incident, according to a new report.

In the UK government’s Cyber Governance Health Check Report 2017, 68 per cent of respondents said they had not been taken through incident response basics.

Meanwhile, 10 per cent of firms said they do not have an incident response plan at all.

And given that only a third of FTSE 350 boards actually responded to the survey, the fear is that these figures could actually be much higher, putting firms – and their customers – at risk.

Another worrying statistic is that only six per cent of respondents said their businesses were completely prepared for the European Union’s new General Data Protection Regulation (GDPR).

These new rules come into full effect in May 2018 and threaten firms with fines of up to €20 million (£18 million) or four per cent of their global turnover for non-compliance.

Although boards did not show themselves to be very prepared for cyber breaches and the GDPR, there were some signs that their awareness of cyber risk is increasing.

54 per cent said it is a top risk for their companies, and 57 per cent said they understand the potential impact that a data breach or disruptive cyber attack could have.

“While cyber security has cemented itself onto the board’s agenda, they often lack the training to deal with incidents,” said Paul Taylor, UK head of cyber security at KPMG, which carried out the research.

“This is hugely important, as knowing how to deal confidently with an incident in the heat of the moment can save time and money. The aftermath of a cyber attack, without the appropriate training in managing the issue, can result in reputational damage, litigation and blunt competitive edge.”

For more from the report, see the government’s website.