COMPANY chief executive officers (CEOs) across the UK now see investment in cyber security as a revenue opportunity instead of a burden, according to a new study.

The survey – part of business services group KPMG’s CEDO Outlook 2017 – also found that CEOs saw the subject as part of their agenda, rather than delegating it down the management chain.

KPMG asked 150 UK CEOs about their investment plans for the future and the issues they saw as having an effect on their business. It found 70 per cent of leaders saw investment in cyber security as an opportunity to find new revenue streams and innovate, rather than as an overhead cost.

Loading article content

Business leaders also put it solidly on their agenda instead of it being solely a matter for chief information officers or chief information security officers, with more than three-quarters (77 per cent) agreeing with the statement “I am personally comfortable with the degree to which mitigating cyber risk is now part of my leadership role”.

George Scott, director of KPMG’s Cyber and Privacy practice in Scotland, said more remained to be done: “It’s encouraging to see business leaders beginning to view cyber security investment as a positive figure on the balance sheet. However, more needs to be done to make sure businesses are prepared in the event of a cyberattack, whether it’s from external sources, or even insiders.

“Nevertheless, the fact three-quarters of UK CEOs see mitigating cyber risks as part of their leadership role is reassuring.

“Today’s CEOs are increasingly required to have a basic understanding of cyber security as part of their skillset in the same way they should have a grasp of finance, budgeting and HR. However, as cyber risk management gradually becomes recognised as standard business management practice, a basic understanding of cyber won’t simply be an added value skill for CEOs, it will be seen as a necessity.”

The report also found that business leaders were not fully prepared for a cyber event such as an employee-led data breach or business data theft.

Only half of those surveyed (52 per cent) believe they were “fully prepared” for both eventualities.

Scott added: “With recent high-profile attacks like ‘Wannacry’ hitting the press, cyber security should be on every CEO’s radar. Businesses need to match their investment in innovative technology with their investment into cyber security, in order to stay one step ahead of cyber criminals. In Scotland, we’ve seen an increase in cyber security investment with many firms purchasing more security tools and technology.

“But unfortunately in some cases, the tools have not been implemented correctly or the right culture hasn’t been instilled, which doesn’t become apparent until it’s too late.

“However, the likelihood of another ‘Wannacry’ type of incident and increasing regulation, such as the onset of the General Data Protection Regulations in May 2018, is forcing firms to revisit their security management and data-handling practices which helps spot those types of vulnerabilities and protect them for the future.”

KPMG’s comments came as Netwrix of Irvine, California said all government departments it surveyed named their own employees as the biggest cyber risk. The authors wrote: “The main reason is bad experiences. In 2016, human errors caused security incidents in 57 percent of government entities.”