While nearly every big company (96%) claims to have a cybersecurity strategy in place, less than half (46%) back that up with dedicated budget. And only one in eight (16%) say they have a comprehensive understanding of the impact of loss or disruption that comes with cyber threats.
Similarly, while the vast majority (95%) of the FTSE 350 survey respondents said they had a cyber security incident response plan, only 57 percent actually test them on a regular basis.
And just one in five boards have undertaken a crisis simulation on cyber risk in the last 12 months, according to the government's FTSE 350 Cyber Governance Health Check report, which monitors how large companies are approaching tech security.
Still, it seems that awareness of the threat of cyberattacks is at least increasing, even if big companies aren't exactly sure what to do about it: almost three quarters (72%) of respondents acknowledge the risk of cyber threats is high — significantly up on just over half (54%) last time around.
The arrival of the General Data Protection Regulation (GDPR) also seems to have had an impact: three quarters of respondents said that board discussion and management of cybersecurity had increased since GDPR.
The report also warns that while the supply chain is increasingly becoming a target for cyberattacks, recognition of cyber risks in the supply chain appears to be a significant gap. While nearly three-quarters (73%) of boards recognise the cyber risks arising from businesses in the supply chain is relatively high, less than a quarter (23%) recognise the cyber risks associated with firms that are not directly contracted by the business (fourth party and beyond), leaving them particularly vulnerable to such threats.
Cyber security is a business issue, not an IT issue, said Kevin Williams of the KPMG UK cybersecurity practice: "Some of the more successful companies ensure regular reporting on cyber risks directly to the board, creating clear line of sight between the business and the risk. They also ensure regular testing of their capabilities to respond to information security incidents."
It's worth pointing out that this survey covers the biggest and richest companies in the UK. If, despite plenty of evidence of cyber espionage and the increasing risk of attacks on industrial systems too, these big firms can't get a handle on security, what hope is there for smaller organisations with less money?