Government report states UK boards must improve cyber awareness – but how remains unclear

Let’s get one thing straight: everyone and their dog knows that UK businesses must improve their cybersecurity. The problem is, much of the noise on the matter comes from vendors whose agenda – that is, to sell – doesn’t always fill organisations with trust. Almost every week a new report highlighting the torrid state of UK cybersecurity emerges, and this din has ultimately led to desensitisation. In some respects, it’s like the boy who cried wolf.

But when it’s the UK Government raising the alarm, businesses know it’s time to take heed. And that’s exactly what happened last week, when the Department for Digital, Culture, Media & Sport (DCMS) released its Cyber Governance Health Check 2018, which examines UK FTSE 350 companies’ approach to cybersecurity.

The report revealed that less than a fifth (16%) of British boards have a thorough understanding of the impact cyber threats can have on their business in terms of loss or disruption. And when you consider over four in ten businesses (43%) have experienced a cybersecurity breach or attack in the last 12 months – well, it doesn’t take a genius.

The issue isn’t that boards are ignoring the cybersecurity problem; 96% of them do have a cybersecurity strategy in place (even if less than half boast a dedicated budget). It’s instead that the strategies boards have put in place are ineffective. Which raises the question, why? 

The likeliest answer is that most boards are still utilising traditional methods such as classroom learning to boost their cyber awareness. But when dealing with dry, though important, topics like risk and compliance, this is a recipe for disaster.

The government report suggests that companies should, before anything else, focus on increasing the skills and knowledge of existing board members so that they better understand their business-critical assets. But beyond its Board Toolkit, which is essentially just a series of prompts and questions, the government provides no solution for actually achieving this.

To increase cyber awareness, clearly, the learners must first be engaged. But if businesses think the answer is inviting a cyber expert to deliver a one-off PowerPoint presentation, or handing out stale, lengthy manuals, improvement won’t arrive any time soon. The answer is providing board members access to a low-maintenance, interactive solution that makes ‘boring’ topics fun – and the key to this is gamification.

One may assume that gamification is trivial and not something highly successful businesspeople have time for – but this isn’t the case. Gamification is about using game mechanics such as jeopardy, reward, and competition to boost engagement by making learning addictive. And it works. TalentLMS’s Gamification at Work survey found 85% of employees would spend more time on software that was gamified, while 87% agreed gamification made them more productive. If UK FTSE 350 boards began using such a solution to boost cyber awareness, next year’s government report would show significant progress.