- 1 in 5 businesses never never update their senior executives regarding cyber security activities…
- only 17% updated weekly.
- 5% are only made aware when there’s a breach.
The UK governments annual Cyber Security Breaches Survey (2018) highlights the lack of regular reporting regarding cyber security activities and events to senior executives (business owners, board members etc) and line management.
The stats are not all that bad. At least 62% of all businesses update their senior executives at least annually but this really isn’t often enough, especially as the threats to their business are continually changing. Regular reporting is no bad thing either as it provides many benefits including:
- Improved understanding of regular security activities, which often go unseen and unreported but take up a lot of time. It also highlights day-to-day efforts and challenges outside of the limelight of major breaches or legislative changes.
- Raising and highlighting risks and improvements that may need additional resource or investment to combat and getting an early buy in.
- Raising future changes in regulation or law early and getting ahead of the curve in preparations.
- Raising awareness of the need to consider information security and data privacy at every level of the business.
It’s important to remember that senior executives can only act upon what it can see and have knowledge of, if there’s risks they are not aware of, they can’t act to protect the business against them.
So why doesn’t reporting happen more often? Well there’s a number of possible reasons for this:
- Lack of right resources (tools and skilled personnel) to regularly monitor and report on risks to the business.
- Outsourcing of functions such as IT or business process can lead to a disconnect on security reporting or a feeling of “offloading” of business responsibilities.
- Lack of understanding of information security at a board level leading to a lack of interest / awareness
What can I do about this?
Shout Cyber provide a range of bespoke services that can help senior executives gain a regular insight into their information security risks, current activities and effectiveness including updates on any up-coming and relevant regulatory or legislation changes including:
- Vulnerability scanning and reporting on your IT estate.
- Third-party supplier management
- Risk management and consultancy services.