The UK’s largest quoted companies are failing to provide enough information about cyber security risks to their boards of directors, according to a poll that reports more than two-thirds of boards have not been trained in how to respond to an attack.
Just 31 per cent of the 105 FTSE 350 boards that responded to a UK government survey said they received “comprehensive, generally informative” reports about cyber crime. Only 28 per cent said they were trained to deal with an incident.
The results reveal poor boardroom oversight of cyber threats in the UK despite a number of high-profile attacks in the past three years. Intelligence officials have warned that corporate cyber crime is on the rise and earlier this year, the large-scale “Petya” and “WannaCry” malware attacks caused serious disruption at the NHS and other large companies.
“Recent cyber attacks have shown the devastating effects of not getting our approach to cyber security right,” said Matt Hancock, the UK’s digital minister. “We have a long way to go until all our organisations are adopting best practice.”
The UK has a large number of finance, manufacturing and technology companies and is on the frontline of attacks in Europe according to Research by FireEye, a US cyber security company. It found Britain was the target of one in eight malware attacks on Europe between January and September last year.
However, UK companies have been slow to update IT systems to deal with the threat and City of London bosses have even suggested businesses should hire younger directors to speed up the process.
“While cyber security has cemented itself on to the board’s agenda, they often lack the training to deal with incidents,” said Paul Taylor, UK head of cyber security at KPMG. “This is hugely important, as knowing how to deal confidently with an incident in the heat of the moment can save time and money.”
UK companies will soon be forced to improve data security in response to the EU’s General Data Protection Regulation. The rules, which come into effect next May and will be integrated into UK law after Brexit, require businesses to identify and report attacks within 72 hours. In a survey of 900 businesses by Veritas Technologies, a cloud data management company, almost-two thirds said this would be difficult to do.
Only 6 per cent of the FTSE 350 companies polled by the government said they were fully prepared for GDPR.