The Financial Times called it an ‘unprecedented step’ last week when MI5 and GCHQ sent letters to the chairs of all the FTSE 350 companies in the UK, urging them to conduct an assessment of their cyber defences. While this may be true, these so called ‘cyber health checks’ are also a rather toothless response to what is a growing threat for UK companies.
Cyber-security tends to be the reserve of IT departments and there is generally a lack of knowledge in company boardrooms of what protection is actually required to minimise the threat of cybercrime. Companies and directors often resort to doing the minimum required to protect themselves whether due to a lack of knowledge, experience, or understanding of the threats a security breach can cause.
This ignorance is not surprising; there is a lack of information about the potential consequences of poor information security. In certain circumstances, however, it is clear that even a single breach can threaten the commercial viability of even very large companies.
Indeed, because of the remote nature of cyber-attacks, a loss of a businesses’ intellectual property -particularly when it is acquired by competitors – may go entirely unreported. The party affected may not ever know that commercial information has been compromised or, for example, that this was a reason behind the loss of a competitive tender.
Don’t just tick boxes
The call for ‘health checks’ exacerbates this issue rather than resolving it. Health checks are really questionnaires, allowing business leaders to tick a few boxes in order to comply. They do not create a requirement to delve into how the company reports – or doesn’t, as the case may be – a security breach. Such a superficial process encourages complacency which can leave the company, and UK industry as a whole, more vulnerable to cyber threats.
Putting proper cyber-security in place entails cost and does not provide immediate quantifiable profit improvement. Therefore, unless the benefits can be better analysed and the true risk understood, boardrooms will continue to under-invest, bringing risk into not only their own firms but their entire supply chains.
IT Due Dilligence in the M&A process
Increasingly, IT due diligence is an important part of the M&A process as corporate acquirers seek to understand whether a target company either:
- Represents a potential security threat due to system vulnerability; or
- Is in danger of losing or having lost its core intellectual property.
The Government needs to take a more active role in educating companies, particularly SMEs, about the risks. Potentially, cyber-security should become a statutory responsibility of directors, actively managed and reported on in line with other investor information. It is needs to be moved to the top of the agenda at board meetings, or UK companies will continue to be at risk.