Disturbing lack of cyber attack awareness among directors

Britain’s top firms and charities urgently need to do more to protect themselves from online threats, according to new government research and a ‘cyber health check’.

cyber attack awareness among directors

One in ten FTSE 350 companies said they operate without a response plan for a cyber incident, and 31 percent of boards receive comprehensive cyber risk information.

There has been progress in some areas when compared with last year’s health check, with more than half of company boards now setting out their approach to cyber risks (53 percent up from 33 percent) and more than half of businesses having a clear understanding of the impact of a cyber attack (57 percent up from 49 percent).

“Having some of the brightest business minds in your organisation may translate to short-term wins now, but the high-profile directors without any basic training on how to deal with cyber attacks could send a company’s stock falling in the future. With no immediate threat of another financial crisis, the main threat to SMEs and large businesses now presents itself in the form of a cyber attack that could cripple databases, steal sensitive information and extract money. Companies ought to be aware of how to deal with such an incident should it occur, putting in the necessary training from high-level director right down to intern – this is important when you consider that the majority of cyber incidents occur through human error,” said Rob Wilkinson, Corporate Security Specialist at Smoothwall.

Charities and cybersecurity

Separate new research looking at the cyber security of charities has also been published. It found charities are just as susceptible to cyber attacks as businesses, with many staff not well informed about the topic and awareness and knowledge varying considerably across different charities. Other findings show those in charge of cyber security, especially in smaller charities, are often not proactively seeking information and relying on outsourced IT providers to deal with threats.

Where charities recognised the importance of cyber security, this was often due to holding personal data on donors or service users, or having trustees and staff with private sector experience of the issue. Charities also recognised those responsible for cyber security need new skills and general awareness among staff needs to raise.

cyber attack awareness among directors

Barriers to improvement for charities

“Charities must remember that, in addition to the social good they strive towards, they also have a duty of care to protect the personal information of their donors. Charities will not be spared from new data protection rules under GDPR, and some may be unable to weather the storm should they fail to meet their obligations. With widespread IT and security outsourcing to cloud-based services and third-party providers, many charities may be introducing significant supply chain risk and punching holes in an already meagre security posture. Strong data management, security policies and investment in the latest threat detection and response technologies must be top of the agenda,” said Matt Walmsley, EMEA director of Vectra.

Data Protection Bill

The Government will soon be introducing its new Data Protection Bill to Parliament. With this coming into effect next May, implementing the General Data Protection Regulation (GDPR), the report for the first time included questions about data protection.

The new data protection law will strengthen the rights of individuals and provide them with more control over how their personal data is being used.

The report found:

  • Awareness of GDPR was good, with almost all firms (97 per cent) aware of the new regulation
  • Almost three quarters (71 per cent) of firms said they were somewhat prepared to meet the GDPR requirements, with only 6 per cent being fully prepared
  • Just 13 per cent said GDPR was regularly considered by their board
  • 45 per cent of Boards say they are most concerned with meeting GDPR requirements relating to an individual’s right to personal data deletion.