MI5 and GCHQ call for 'cyber health check' for all FTSE 350 companies

Letter to FTSE 350 companies urges them to take action after all are found to be 'leaking' data online

The director general of MI5, Andrew Parker, and the director of GCHQ, Sir Iain Lobban, have urged all FTSE company chairmen to take part in a "cyber governance health check".

The move comes after KPMG claimed that every single FTSE 350 company is leaking data online, enabling cyber attackers to gain control of their intellectual property, perpetrate fraud and, in turn, to inflict reputational damage.

The consultancy firm found that every company in the FTSE 350 was leaking data, such as employee usernames, email addresses and sensitive internal file location information online.

On average, 41 usernames, 44 email addresses and five sensitive internal file locations were found for each company.

Parker and Lobban have written to all of the chairmen of FTSE 350 companies to ensure that those at the head of each company are aware of the importance of cyber security, the Financial Times reports.

The "health check" will involve a questionnaire that has to be completed by the chairman and the chair of the company's audit committee. Questions will include the way that the firm handles intellectual property online and how it safeguards customer data.

The results of the questionnaire will be anonymised and ranked, to enable companies to see how they rate on cyber security compared with other FTSE 350 companies.

The security chiefs urged chairman to complete the cyber questionnaire themselves.

"By delegating the completion of the Tracker (for example, to your CIO), your results may overlook existing internal vulnerabilities linked to governance," the letter reads.

Science minister David Willetts signed the letter with Parker and Lobban, and said the information would "give us a sense of how cyber aware companies are, and what sort of risk assessment they have put in place".

Willets said he hoped to publish some findings based on the health check in October or November this year.

There will then be an in-depth discussion with each company's audit firm about areas in which a company may be particularly vulnerable.

Mark Brown, director of information security at Ernst & Young, welcomed the government's plans and encouraged all businesses invited to take part in the survey.

"This is the first major step towards taking the theoretical framework that was the Cyber Security for Business Initiative, launched in 2012, into practical implementation and presents businesses with an opportunity to embed cyber checks into their standard corporate behaviour," he said.

However, he said that with businesses in the UK reporting an increase in cyber-attacks, the current plans don't go far enough.

"The threat is relevant to, and should be embraced by, the wider business community proportionally. The current plan should expand to include suppliers to FTSE 350 firms.

"This is the only way to ensure that their supply chains don't continue to pose an indirect risk to businesses in and out of the index, nor do they cancel the positive impact of this initiative," he said.