Cyberattack planning is still depressingly poor, even in big businesses

Most companies have a strategy, but fewer have the funds or detailed plans to back it up.
Written by Steve Ranger, Global News Director

The top management at some of the UK's biggest companies still don't fully understand the potential risks of a cyberattack on their business, says a government report.

While nearly every big company (96%) claims to have a cybersecurity strategy in place, less than half (46%) back that up with dedicated budget. And only one in eight (16%) say they have a comprehensive understanding of the impact of loss or disruption that comes with cyber threats.

Similarly, while the vast majority (95%) of the FTSE 350 survey respondents said they had a cyber security incident response plan, only 57 percent actually test them on a regular basis.

Image: FTSE 350 Cyber Governance Health Check 2018

And just one in five boards have undertaken a crisis simulation on cyber risk in the last 12 months, according to the government's FTSE 350 Cyber Governance Health Check report, which monitors how large companies are approaching tech security.

Still, it seems that awareness of the threat of cyberattacks is at least increasing, even if big companies aren't exactly sure what to do about it: almost three quarters (72%) of respondents acknowledge the risk of cyber threats is high — significantly up on just over half (54%) last time around.

The arrival of the General Data Protection Regulation (GDPR) also seems to have had an impact: three quarters of respondents said that board discussion and management of cybersecurity had increased since GDPR.

Businesswoman leading business presentation
Getty Images/iStockphoto

The report also warns that while the supply chain is increasingly becoming a target for cyberattacks, recognition of cyber risks in the supply chain appears to be a significant gap. While nearly three-quarters (73%) of boards recognise the cyber risks arising from businesses in the supply chain is relatively high, less than a quarter (23%) recognise the cyber risks associated with firms that are not directly contracted by the business (fourth party and beyond), leaving them particularly vulnerable to such threats.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Cyber security is a business issue, not an IT issue, said Kevin Williams of the KPMG UK cybersecurity practice: "Some of the more successful companies ensure regular reporting on cyber risks directly to the board, creating clear line of sight between the business and the risk. They also ensure regular testing of their capabilities to respond to information security incidents." 

It's worth pointing out that this survey covers the biggest and richest companies in the UK. If, despite plenty of evidence of cyber espionage and the increasing risk of attacks on industrial systems too, these big firms can't get a handle on security, what hope is there for smaller organisations with less money?


Editorial standards