Data Driven Futures

Big business doesn’t grasp cyber risk: government

Written by Hannah McGrath
05/03/2019

A government report has found that some of the UK’s leading companies are struggling to understand the potential impact of a cyberattack on their business, with less than a fifth (16 per cent) of boards having a full grasp of the threat.

A joint survey of the cybersecurity threat landscape compiled by the National Cyber Security Centre (NCSC) and the Department for Culture, Media and Sport (DCMS) analysed the approach to cybersecurity among the UK’s FTSE 350 companies.

It found that despite almost all of them (96 per cent) having a cyber security strategy in place, just 16 per cent said they had a “comprehensive understanding” of the impact of loss or disruption associated with cyber threats on their organisation.

Almost three quarters (72 per cent) of respondents acknowledged the risk posed by cyber threats was high, marking an improvement on the just over half (54 per cent) who said the same in 2017.

The report also highlighted the positive impact of the General Data Protection Regulations (GDPR), which came into force last year, finding that it had increased boards’ focus on cyber threats.

Over three quarters (77 per cent) of those responding to last year’s health check said that board discussion and management of cybersecurity had increased since GDPR. As a result, over half of those businesses had also put in place increased security measures.

Additionally, although the majority of businesses (95 per cent) do have a cyber security incident response plan, only around half (57 per cent) actually test them on a regular basis.

Launching the report, digital minister Margot James said: “The UK is home to world leading businesses but the threat of cyberattacks is never far away. We know that companies are well aware of the risks, but more needs to be done by boards to make sure that they don’t fall victim to a cyberattack.”

She said the report showed that the UKs’ businesses still had some way to go in ensuring their systems were fully prepared for the increasing threat of cyberattacks, adding: “Cyber security should never be an add-on for businesses and I would urge all executives to work with the National Cyber Security Centre and take up the government’s advice and training that’s available.”

The report comes after the government announced a £1.9 billion investment in a new cyber governance health check scheme for businesses to be rolled out over the next five years, including a new set of standards or cyber resilience metrics which will be based on a set of risk-based principles to allow firms to measure and benchmark the extent to which they are managing their cyber risk profile effectively.

Ciaran Martin, chief executive of the NCSC, said: “Every company must fully grasp their own cyber risk – which is why we have developed the NCSC’s Board Toolkit to help them.

He added: “This survey highlights some urgent issues companies will be able to address by putting our Toolkit’s advice into practice. Cyber security is a mainstream business risk, and board members need to understand it in the same way they understand financial or health and safety risks.”