Despite a surge in global cyberattacks and increasing awareness about the importance of cybersecurity, many UK companies are struggling to effectively address this critical issue, a report by UK cybersecurity consultancy Savanti reveals.
In 2022, global cyberattacks saw a 38 per cent increase compared to the previous year. The rise in cybercrime is not sparing UK businesses, with a total of 2.4 million instances of cybercrime reported within the last 12 months across various industries.
The financial impact of cybercrime is also significant. According to Cybersecurity Ventures, the cost of cybercrime to businesses could reach £8.4trillion annually by 2025, positioning it as the third-largest global economy after the US and China.
In its Effective Board Governance of Cyber Security: A Source of Competitive Advantage report, Savanti reveals that many boards are struggling to understand the intricacies of cyber risks. Fifty-nine per cent of directors admitted that their boards are not effective in comprehending the drivers and impacts of cyber risks on their organisations.
The report highlights a compelling correlation between effective cybersecurity measures and business success. Enterprises with digitally-savvy, cyber-engaged executive teams experienced higher revenue growth, increased valuations and improved net margins.
Furthermore, effective cybersecurity practices led to higher success rates when competing for new clients, enhanced data insights, increased investor confidence, and preserved shareholder value during mergers and acquisitions.
Key recommendations
Savanti’s report outlines several key recommendations for boards to enhance their cybersecurity governance:
- Enhance board knowledge: Boards should include at least one non-executive director with expertise in technology, digital, data, or cybersecurity. Directors should be encouraged to educate themselves and engage with cybersecurity experts.
- Prioritise cybersecurity: Cybersecurity should be a standing item on board agendas, discussed at least quarterly, and more frequently when critical issues are ongoing. Some businesses may even consider establishing a technology committee of the board.
- Understand the board’s role: Boards should play four critical roles in cybersecurity – setting the risk appetite, ensuring resilience and recovery plans, maintaining an appropriate level of knowledge, and preparing for crisis incidents.
- Prepare for regulation: As cyber regulation becomes more likely, boards should proactively prepare by reporting on expertise at the board and senior management levels, disclosing risk management arrangements, and promptly reporting breaches to the relevant authorities.
- Leverage independent advisors: Independent cybersecurity advisors can assist boards in enhancing their knowledge, preparing for meetings, formulating questions and identifying potential issues.
Moving forward
Richard Brinson, CEO of Savanti, said: “Many investors see cyber as the canary in the coal mine for the health and resilience of a business – if a company can demonstrate effective cyber preparedness, it is a sign of the strength of their overall leadership, operations and governance.
“But while there has undoubtedly been progress in recent years on board governance of cyber security, many boards struggle to dispense their responsibilities.
“We found many board members don’t understand their unique role on cyber security, lack the right level of cyber awareness and are scared to turn to their chief information security officer to bridge this gap, for fear of exposing their lack of understanding.
“Businesses need to get ahead of the curve. This means requirements for boards to report on relevant expertise at board and senior management level on cyber security, report on risk management arrangements and disclose all material incidents to the relevant public authority to build a more comprehensive shared picture of the emerging threat.”
