A new survey by the Department for Business, Innovation & Skills has revealed that a mere 14% of FTSE 350 firms are regularly considering cyber threats in their decision making.
According to the findings, only 25% of leading UK public companies consider cyber threats a top risk area, with only 17% have clearly set what they see as an acceptable level of cyber risk. Only just over half even acknowledge cyber threats on their 'risk register.'
The findings are in stark contrast to the reality of the threat from cyber attackers. A survey by the same government department in April found that attacks on businesses are on the rise, with 93% of large organisations having been the victim of a cyber security breach in 2013. The average cost to major businesses of between £450,000 and 850,000, with several costing companies millions. Similarly,87% of small firms experienced an attack, up 10% from last year. Affected companies reported a 50% rise in attacks compared to a year ago.
'The cyber crime threat facing UK companies is increasing,' said science minister David Willetts. 'Many are already taking this extremely seriously, but more still needs to be done.'
'We are working with businesses to encourage them to make cyber security a board-level responsibility.'
To tackle the growing threat the government is working with industry to develop an official ‘cyber standard’ which will help stimulate the adoption of good cyber practices among business. Backed by industry, the kitemark-style standard will be launched early next year, as part of the £860 million cross-government National Cyber Security Programme.
Ashish Patel, regional director at McAfee Group's network security firm Stonesoft, urged the assessment of how cyber security awareness extends beyond the boardroom.
'This is especially true of the FTSE 350, which arguably handle most of the UK’s sensitive business data and are the most sought-after prize from a cyber-criminal’s point-of-view,' said Patel.
'In developing the kitemark-style standard, the Government needs to ensure a focus on the formation of an entire security-aware workforce, whereby all employees are regularly engaged, educated and empowered to report risky behaviour and potential threats. Those on the ground need to be tuned into the dangers organisations are exposed to online, and how to tackle these, just as much as the C-suite.'