More than two-thirds of FTSE 350 boards have never received any training to deal with a cyber-attack and 10% have no plans in place to respond to an incident, UK government research has revealed.
Undertaken in the wake of recent high-profile cyber attacks, the survey of the UK’s biggest 350 companies found 68% of boards had not received training despite 54% saying it was a top risk to their business.
Digital minister Matt Hancock said: “We have world leading businesses and a thriving charity sector but recent cyber-attacks have shown the devastating effects of not getting our approach to cyber security right.
“We have a long way to go until all our organisations are adopting best practice and I urge all senior executives to work with the National Cyber Security Centre and take up the Government’s advice and training.”
There has been progress in some areas compared to a survey carried out last year, with more than half of company boards now setting out their approach to cyber risks (53%, up from 33% last year).
Last year, the government announced a five-year National Cyber Security Strategy (NCSS), backed by £1.9 billion of funding.
This includes opening the National Cyber Security Centre (NCSC) and offering free online advice as well as training schemes to help businesses protect themselves.
A 10 Steps to Cyber Security guide sets out a comprehensive framework to help company boards manage cyber risks, from getting the basics right through to protecting their most critical assets, and the Cyber Essentials scheme sets out the technical basics all companies should have in place.
Alex Dewdney, NCSC director for engagement, said: “Everyone has a part to play. That’s why we are committed to providing organisations with expert advice through our website and direct engagement.
“We also urge organisations to follow the guidance in the Government’s Cyber Essentials Scheme.”
The findings were contained in the FTSE 350 Cyber Governance Health Check, the Government’s annual report providing insight into how the UK’s biggest 350 companies deal with cyber security.
It is carried out in collaboration with the audit community, including Deloitte, EY, KPMG and PWC.
Paul Taylor, UK head of cyber security at KPMG, said: “While cyber security has cemented itself onto the board’s agenda, they often lack the training to deal with incidents. This is hugely important as knowing how to deal confidently with an incident in the heat of the moment can save time and money. The aftermath of a cyber-attack, without the appropriate training in managing the issue, can result in reputational damage, litigation and blunt competitive edge.”
Zubin Randeria, cyber security leader at PwC, added: “The most successful leaders will be those who take an active involvement in cyber security governance and set the tone from the top - this is not an issue just to delegate to more technical teams.”
Phill Everson, head of cyber risk services at Deloitte, said that although the report marked a clear improvement in board level awareness, there was still some way to go, particularly as the new General Data Protection Regulation will require official notification of breaches within 72 hours.
He added: “As hackers become increasingly more sophisticated, companies will have to ensure that staff training and technology stays ahead of the evolving cyber threat to respond in a timely and effective manner.”
Stuart Whitehead, UK head of cybersecurity, privacy and resilience at EY, added: “With the current backdrop, the cyber agenda is evolving into a conversation about organisations’ resilience to cyber-attacks. This is not only how organisations protect themselves but how they respond to an incident, recover business processes and limit the impacts to revenue and reputation.”
Further information is available at www.gov.uk/cybersecurity.