An Institute of Directors in Ireland and Mason Hayes & Curran research report released today, Cyber Security in the Boardroom, has found that the issue of cyber security is increasingly becoming a priority in the boardroom as one third of companies experienced a cyber breach in the past two years. However, many organisations have some way to go in terms of developing a formal strategy and putting appropriate insurance and protection measures in place to deal with cyber threats.
- 93% of directors rate cyber security as an important issue at board level
- 41% say there has been a significant increase in the priority placed on cyber security at board level in the past 3 years
- 40% of organisations have no formal cyber security strategy, rising to 68% among companies with less than 100 employees
- Less than a quarter of organisations have cyber liability insurance in place
- One third of organisations experienced a cyber breach in the past 2 years
- 44% of organisations selling online have experienced a cyber breach
- 84% of directors say their organisation will increase spending on cyber security measures over the next 3 years
Cyber security a boardroom issue
The survey conducted with just under 300 members of the Institute of Directors in Ireland (IoD) in April 2016, found that boards and directors are becoming much more aware of cyber security as an issue at board level with 93% rating it as very or quite important and 85% of directors claiming to have a high to medium understanding of the cyber security risks facing their organisation.
In addition, 76% of directors say there has been an increase in the priority placed on cyber security by their board over the past three years, with 41% citing a significant increase in priority.
Commenting, Maura Quinn, Chief Executive of the Institute of Directors in Ireland, said: “Managing cyber risk is a concern for the entire organisation and should be led from the top. With an increasing number of issues coming under the board’s remit, directors need to keep up-to-date in their understanding of the risks facing their organisation including readiness to deal with a cyber breach.”
69% of directors claim their organisation is prepared or very prepared for a cyber breach, with an identified executive with responsibility for cyber security present in 80% of organisations. However, only a marginal majority of organisations (56%) have a formal cyber security strategy in place even though 84% of organisations expect to increase spending on cyber security protection measures over the next three years.
“While it is encouraging that cyber security is an increasing priority at board level, it is concerning that 40% of organisations do not have a formal cyber security strategy in place and the vast majority (68%) of those without a strategy are small to medium companies with less than 100 employees. Regardless of size, every organisation should have some level of cyber security strategy in place and this needs to be addressed, particularly when spending on protection measures in most organisations is set to increase,” said Maura Quinn.
Risk and impact
One third (32%) of organisations claim to have experienced a cyber breach in the past two years, rising to 44% among those organisations selling products or services online, and most commonly resulting in an interruption to business, loss of data or reputational damage.
The top five breaches include:
|Computer virus||Loss / theft of mobile devices||Email accounts hacked||
The consequences of a breach can be significant and, while 69% of directors would describe their cyber liability as high to medium, just 23% say their organisation has cyber liability insurance in place.
Paul Egan, Partner, Corporate, Mason Hayes & Curran, said: “In simple terms, cyber liability is a business’s liability for any data breach in which data, such as customers’ data, is stolen or compromised. The consequences of such a breach can be both reputational and financial, so it has never been more important for companies to have robust strategies in place to both prevent and, if necessary, respond quickly to a data breach.”