Ipsos MORI survey looks at board views of cyber risks, resilience, and incident response
- Published: Tuesday, 23 November 2021 10:03
An Ipsos MORI survey on behalf of the UK government, has looked at the views of ‘Captains of Industry’ when it comes to cyber risks, resilience, and incident response.
A large majority of respondents say that the board in their organization considers cyber threats to be high risk in comparison to all risks the company faces, and that they are well informed to make decisions about cyber resilience. However more can still be done, with board members still requiring further awareness raising and targeted training to improve their decision making abilities regarding cyber resilience.
Key findings from the survey include:
Board engagement with cyber security risk
- Nine in ten Captains say that cyber threats are considered as a very high or high risk by the board. The proportion of Captains who say this has seen a slight increase compared with 2020 (from 84 percent to 91 percent).
- Most Captains (77 percent) reported that the board received updates or had discussions about cyber security on at least a quarterly basis over the last 12 months. This includes 26 percent who say they did so monthly or more often.
- The vast majority (92 percent) of Captains agree that the board integrates cyber risk considerations into wider business areas with slightly fewer (83 percent) Captains saying their board is well informed to make decisions about cyber resilience.
- However, Captains still feel there is more that can be done to equip Board members to deal with Cyber threats. Captains most commonly mentioned awareness raising among board members and targeted training (34 percent) when asked about what support their board needs to make better decisions about cyber resilience.
Strategy and documentation
- The majority of Captains (between 95 percent and 98 percent) stated that they have documentation in place to manage their cyber security including a business continuity plan that includes cyber security, risk register, identification of critical assets and a written list of vulnerabilities.
- However, fewer (77 percent) had documentation outlining the cyber risk the organization is willing to accept i.e. documentation about the organization’s risk posture or risk appetite.
- Seven in ten Captains (69 percent) suggest that their organization actively manages supply chain risks.
- A similar proportion (68 percent) say that cyber risks in the supply chain are part of the written documents that help manage cyber security risks.