We recently launched our compliance research which was focused on UK businesses and how they perceived their compliance status.
Something we wanted to dive into was what were the current key drivers in UK enterprises’ compliance programs and whether, as a collective, we were in a good place or not.
So here’s the good news overall –
Driving overall risk
74% of businesses spoken to, regardless of their industries, were focused on a strategy of risk reduction.
That’s not bad, but maybe not as high as we would like it.
When you drill into that further per industry, the business services and commercial sector as a whole were the winners with 100% and 94% respectively of enterprises asked, stating that reducing risk was of paramount importance. For QO, whilst still high at 70%, the financial services sector should have been ranked as number one considering the potential damage that a lack of focus in cyber risk can cause these enterprises.
QO View: There needs to be more consistent cyber risk reduction strategies across all sectors. Whilst some industries really do focus on this, consider that 30% of finance enterprises still do not have this as a key driver, 50% of manufacturers don’t and 40% in the IT and Telecoms sector. Surely we need to do better than this on ensuring that business risk is minimized considerably particularly in an era of evolving, consistently frequent cyber attacks?
With 3rd party risk, are enterprises focused?
So there may be broader focus in the press around 3rd party, but we are not sure that this is reflected in our results?
Worryingly, sectors such as manufacturing, where 3rd parties play a key part, only 40% cited that this was a key driver, and within the finance sector, whilst this was higher – 65%, across all sectors, finance came out as the highest response, which is a really concerning number considering how 3rd parties can be the weakest link in you business operational resilience.
QO View: Time and again recently, 3rd party risk has been mentioned as a key risk to enterprises. Over all sectors only 53% of enterprises said that they were focused on this, 60% of manufacturers asked still don’t. So our concern is that sectors where 3rd parties play a huge part still are not engaged in how they manage this issue.
Does demonstrating industry best practice play a part?
Well kind of yes.
So here’s the facts. 50% of all enterprises did cite this as important, and positively manufacturing, where best practice plays a major part, scored the highest at 70%.
More worryingly, the finance sector scored the worst with only 43% stating this as a focus, which begs the question as to whether this industry should be concerned about maintaining best practices considering the vast amounts of data that they hold.
QO View: why would this not be a focus right? Surely by demonstrating best practice can ultimately keep a business secure and compliant and allow bad practices to not creep in. So the fact that these numbers are low is concerning.
But did anyone use validation of controls as a key driver?
So whilst the IT, tech and telecoms sector came out top at 68% in this industry responding with a yes – frankly this sector should know better and the response should have been higher.
From a compliance point of view the finance industry yet again, whilst being the second highest, only 65% of fintech have a focus on validation of controls. Apart from that, all other sectors scored lower.
QO View: We’re concerned here at QO as to whether there really is enough of a focus on controls in keeping businesses secure and compliant. If you cannot validate your controls to ensure that you are compliant, then UK enterprises are surely leaving themselves vulnerable and open to attack, let alone potentially failing in their compliance.
In conclusion, are UK enterprises focused on the right things?
We’re not convinced there are strong statistics to support that UK enterprises are really focused on the right activities to ensure they are truly compliant.
Whilst driving a reduction in risk did receive some high scores in some sectors, in others it simply wasn’t high enough and frankly there was not a broad enough coverage, or high enough scores, of really key activities to ensure that enterprises are compliant. 3rd Party in particular is a key risk for us at QO and validation of controls which enterprises really must address with real impetus if they are to succeed in keeping really compliant and secure.