Half of UK businesses only recognising cyber threats after an attack - report

There appears to be a noticeable lack of engagement from UK business leadership when it comes to cybersecurity matters, a new report from the Department for Digital, Culture, Media & Sport (DCMS) has found.

The government department recently published a policy paper entitled “Exploring organisational experiences of cyber security breaches,” which shared the results of the DCMS’s qualitative study on the level of cybersecurity measures organisations have before and after a data breach. Ten (10) organisations (whose identities were not disclosed) that have experienced cyber breaches in the last four years were surveyed for the report – cybersecurity and/or IT personnel involved with the organisations, as well as members of staff affected by the breaches were interviewed on their thoughts about how their organisations handled the incidents.

Out of the 10 case studies, the DCMS found several key findings:

• In response to increasing levels of cyber risk, nearly all participants acknowledged the need for ever greater levels of vigilance and investment in cybersecurity. However, while medium and large organisations said they tended to have formal plans in place and budget allocated for cybersecurity investment, small organisations were more likely to say they do not, citing resource constraints. Thus, small organisations’ responses to the perceived growing cyber risk appears to be “largely piecemeal and reactive.”
   
• While most surveyed staff/IT personnel indicated that their leadership has understood the importance of cybersecurity and is supporting of investing in it, not all were sure their leadership teams fully understood the ‘scale of the threat,’ or the ‘cultural transition’ needed to meet the growing challenge.
   
• Most of the surveyed staff felt that their organisations put more emphasis on technology than employees to stay secure. For some, technology was a tool to ‘help people do the right thing – this reflects the notion that people and culture are more of a cybersecurity ‘weak spot’ than the technology being utilised at their organisations.
   
• One of the most positive outcomes of the breaches is that they demonstrated that cyber threats are real to leadership, the surveyed found. Many of the organisations observed become more engaged in their cybersecurity challenge post-breach and have since demonstrated a more serious intent to help themselves improve.
   
• However, relatively few organisations attempted to accurately quantify the financial impact of the breaches suffered. Similarly, very few among the surveyed organisations implemented a ‘lessons learned’ process in the aftermath of a breach.