Disruptions to supply chain grow
The number of organisations that have experienced more than ten supply chain disruptions has tripled in the past year – up to 22 per cent this year compared with just 7 per cent in 2015.
According to the Business Continuity Institute’s (BCI’s) latest Supply Chain Resilience Report, supply chain disruptions that have increased in impact include loss of productivity (68 per cent in 2016, up from 58 per cent in 2015), increased cost of working (53 per cent, up from 39 per cent), and damage to the brand or reputation (38 per cent, up from 27 per cent).
The research found that 43 per cent of organisations do not insure these losses, and only a quarter of respondents (27 per cent) report top management commitment to supply chain resilience (down from 33 per cent in 2015).
Furthermore, only three-quarters of respondents (73 per cent) report having business continuity arrangements in place to deal with disruptions to supply chain.
Download the report at bit.ly/bcireport
Boards must set cybersecurity agenda
If businesses fail to take cybersecurity seriously in their business planning, regulators may do it for them, the ICAEW has warned. Richard Anning, head of the ICAEW’s IT Faculty, said boards must grasp the nettle and deal with it as a priority. “Despite years of warnings, many still regard cybersecurity as an optional extra,” he said. “This is why we are increasingly seeing more data breaches that harm consumers and businesses alike. Cybersecurity is integral to digital business.”
The ICAEW’s latest report “Audit Insights: Cyber Security” – based on input from external auditors from the top six audit firms – said that high-profile data breaches and the slow pace of cybersecurity progress means that unless boards take control of the agenda, governments may decide to legislate.
The report says that cybersecurity needs to be a boardroom issue, especially as the EU has unveiled new rules that specifically place on them a responsibility to manage the risk. The General Data Protection Regulation (GDPR) updates and replaces the existing regulatory framework around the protection and use of personal data, while the Network Information Security (NIS) directive specifies obligations regarding cybersecurity in certain industry sectors, largely associated with critical national infrastructure and major information processing activities.
The ICAEW’s guidance suggests that boards should see cyber risks as real and dynamic, take behavioural change seriously and recognise cybersecurity as a precondition for operating.
FRC expects to see Brexit narrative in annual reports
The UK’s corporate governance regulator has said that companies need to address risks surrounding Brexit and its impact on the business within their annual reports.
The Financial Reporting Council (FRC) has issued a letter that highlights “key issues and improvements that can be made to annual reports in the 2016 reporting season to help foster investment in the UK”.
The regulator says that “in an era where cyber risk, climate change and Brexit pose economic,social and environmental uncertainty, the FRC encourages companies to consider a broad range of factors when determining principal risks and uncertainties facing the business andperforming their analysis for the viability statement.”
Paul George, the FRC’s executive director for corporate governance and reporting, said: “Annual reports are the main source of information for investors who need to understand how the company is performing to allow them to judge the long-term prospects for their investment.”
He added: “In the light of Brexit, it is imperative to promote strong investment in UK markets, and to do so there must be constructive engagement between investors
Organisations fail to update their plans for data breaches
While most organisations have a data breach preparedness plan in place, research indicates that executives are not updating or practising the plan regularly and lack confidence in its effectiveness, according to a study conducted by the Ponemon Institute and sponsored by Experian Data Breach Resolution.
The fourth annual study – called “Is Your Company Ready for a Big Data Breach?” – shows that the number of organisations that have a plan increased from 61 per cent in 2013 to 86 per cent in 2016.
However, 38 per cent of organisations surveyed have no set time period for reviewing and updating their plans, and 29 per cent have not reviewed or updated one since it was put in place. Furthermore, only 27 per cent of organisations surveyed were confident of their ability to minimise the financial and reputational consequences of a breach, and 31 per cent lacked confidence about dealing with international incidents.
The report also found that only 39 per cent of organisations surveyed practise their plan at least twice a year.
Staff who “flout” security pose biggest IT risk
Nearly two-thirds of IT decision-makers believe employees regularly circumvent company security policies, leaving their organisations open to cybersecurity risks, according to disaster recovery specialist Databarracks’ latest Data Health Check report.
The survey found that 61 per cent of IT executives believe that employees in their organisations carry out lax security practices, such as taking company data offsite, fabricating or omitting information on sign-in sheets, or keeping written records of passwords at least once a month, with over a quarter (28 per cent) saying employees do this daily.
Such findings are particularly worrying when one considers that only two-thirds
(59 per cent) of organisations have invested in safeguards in the past 12 months to protect against cyberthreats such as malware, viruses
and phishing attacks.
Customers ready to ditch breach-hit brands
Four out of five people in the UK would either cut back or decide never to use an organisation’s products or services following a data breach, according to research by cybersecurity specialist Thales e-security.
Only 16 per cent of respondents said that they would continue to use their products or services as usual, while 20 per cent said they would stop using their products or services completely.
“It’s important for companies to recognise just how much of their customer base might be lost in the wake of breach incidents,” said Sol Cates, the company’s vice-president of technology strategy.
The survey also questioned respondents on what they would be most concerned about following a breach of their personal information. The results showed that theft of money from bank accounts and identity theft were the primary concerns.
ISO boosts firms’ bribery defences
UK standard-setter BSI has launched a standard for detecting and preventing bribery in organisations. BS ISO 37001, Anti-bribery management systems: requirements with guidance for use, helps organisations to put the right controls in place to comply with the 2010 UK Bribery Act.