The study also found that 69% of companies said that senior managers were aware of the problem but only just over half (51%) had taken the recommended actions to avoid cyber attacks. The government is urging companies to use its Cyber Essentials scheme and it said that most of the detected involved viruses, spyware or malware that could have been prevented using the scheme.
Half (51%) of the companies have undertaken five or more of the steps in the Government’s 10 Steps guidance, which is aimed at large companies, although just five per cent have made progress on all 10. The government said that many businesses could do more to formalise their approaches in line with the guidance – just three in ten (29%) have written cyber security policies, and just one in ten (10%) have formal incident management processes. The guidance also highlights the importance of user education and training, although only 17 per cent of firms have had their staff undergo some form of cyber security training in the last 12 months. The survey also founds that relatively few companies (34%) have rules specifically around personal data encryption, which the government said has been at the centre of various high-profile cyber security breaches in recent months.
The research was carried out by Ipsos MORI, in partnership with the Institute for Criminal Justice Studies at the University of Portsmouth, and comprised: a representative telephone survey of 1,008 UK businesses from 30 November 2015 to 5 February 2016 and 30 in-depth interviews undertaken in January and February 2016 to follow up businesses that participated in the survey.
In the government’s Cyber Governance Health Check for 2015, which assesses the extent to which FTSE 350 boards and audit committees understand and oversee risk management measures that address cyber security threats to their business, it was found that 63% clearly set out their risk management approach in their annual reports and a third of boards had now clearly set and understood their appetite for cyber risk, up from 18% in 2014. There were 113 responses to the questionnaire with most of the respondents being the non-executive chairs of audit committees.
When asked about their main board’s understanding of the potential resulting impact of loss or disruption to their key information and data assets, just under half (49%) of audit chairs thought they had a clear understanding, with a further 47% having an acceptable understanding and 3% a poor understanding. Over half (57%) of boards’ discussion of cyber risk is underpinned by “some” up-to-date management information and a further 21% received “comprehensive, generally informative” management information. Of the remaining boards, 17% received very little insight.
For a large proportion of boards (54%), cyber risk is a subject that they only hear about occasionally – either bi-annually or when something has gone wrong, the survey found. This is a similar proportion to 2014, however an increase on 2013 (37%). A further 23% of boards regularly consider cyber risk and make decisions – an increase on previous years (8% in both 2014 and 2013). Despite this, 15% of boards reported that they have either heard about it once or twice, or view cyber risk as a technical topic that does not warrant board level discussions. This has decreased from 26% in 2014 and 46% in 2013.
Almost half (49%) of audit chairs said that their boards had the right skills, to a “significant degree” to manage innovation and risk in the digital world, this is an increase on previous years (38% in 2014 and 39% in 2013).
The government will be publishing a new national cyber security strategy later this year and is also creating a new National Cyber Security Centre offering industry a ‘one-stop-shop’ for cyber security support.
Ed Vaizey, Minister for the Digital Economy, said, “The UK is a world-leading digital economy and this government has made cyber security a top priority. Too many firms are losing money, data and consumer confidence with the vast number of cyber attacks. It’s absolutely crucial businesses are secure and can protect data. As a minimum companies should take action by adopting the Cyber Essentials scheme which will help them protect themselves.”