Despite recent high profile cyber attacks more than two thirds of boards at the UK’s biggest companies have not received training to deal with a cyber incident (68%) according to the government’s latest cyber governance health check survey.
The survey of FTSE 350 companies found that more than half of the respondents said cyber threats were a top risk to their business (54%). However, the survey also found that one in ten (10%) operated without a response plan for a cyber incident and and less than a third of boards received comprehensive cyber risk information (31%).
However, there has been progress in some areas when compared with last year’s health check, with more than half of company boards now setting out their approach to cyber risks (53% up from 33%) and more than half of businesses having a clear understanding of the impact of a cyber attack (57% up from 49%).
Of the FTSE 350 companies sent a questionnaire 105 companies responded to the 2017 health check survey . This compared with 113 respondents in 2015/16 and 108 in 2014. The report said that the largest proportion of respondents came from the financial services sector (23%), while companies from the retail, travel and leisure sector (17%) also featured prominently.
It was found that the majority of respondents described themselves as non-executives (77%), a similar proportion to the last Health Check report. Of those non-executives, the majority were the chair of their company’s audit committee (65%).
The government also published separate research into cyber-security within the charitable sector. It found that charities were just as susceptible to cyber attacks as businesses, with many staff not well informed about the topic and awareness and knowledge varying considerably across different charities.
Matt Hancock, minister for digital said: “We have world leading businesses and a thriving charity sector but recent cyber attacks have shown the devastating effects of not getting our approach to cyber security right.
These new reports show we have a long way to go until all our organisations are adopting best practice and I urge all senior executives to work with the National Cyber Security Centre and take up the Government’s advice and training.”
The government said it was fully committed to defending against cyber threats and a five-year National Cyber Security Strategy (NCSS) was announced in November 2016, supported by £1.9 billion of transformational investment. This included opening the National Cyber Security Centre and offering free online advice as well as training schemes to help businesses protect themselves.
A consultation on the UK’s implementation of the EU’s to implement the Security of Network and Information Systems Directive (“NIS Directive”) has also been launched. The NIS Directive will help make sure UK operators in electricity, transport, water, energy, transport, health and digital infrastructure are prepared to deal with the increasing numbers of cyber threats. It will also cover other threats affecting IT, such as power failures, hardware failures and environmental hazards.
Have you seen Manifest’s research on cyber security risks?
Last Updated: 27 August 2017