NEWS22 August 2017

Majority of FTSE 350 boards untrained to deal with cyber attack

Data analytics GDPR News Privacy Trends UK

UK – Sixty eight per cent of FTSE 350 boards have not received any training to deal with a cyber incident, according to a new government report. 

Data breach crop

The FTSE 350 Cyber Governance Health Check Report 2017 presents findings from a survey with the UK’s top 350 companies on how they are managing their cyber risks.

It reveals that while 31% of boards say they receive comprehensive and informative management information on cyber risk (an increase from 21% in 2015/16 ), 68% have received no training to deal with a cyber incident and 10% of boards have no plan in place to respond to one.

The findings also reveal that nearly six in 10 ( 57%) of boards have a clear understanding of the potential impacts resulting from a loss of, or disruption to, key information or data assets, which has risen from 49% in 2015/16. Just over half ( 54%) of boards view cyber risk as a top/ group risk, when compared with all the risks faced by their company (up from 49% in 2015/16 ).

Just 6% of boards describe their business as ‘completely prepared’ to meet the requirements of the upcoming General Data Protection Regulation (GDPR), which will come into force in May 2018. Nearly three quarters ( 71%) said they were somewhat prepared.

"An increasing number of organisations who responded to the survey relayed the importance of cyber security in terms of the need to protect their services, reassure the public on the safety of their personal data and measure their organisation’s own exposure to cyber risk," said Matt Hancock, Minister of State for Digital, in the report’s foreword. "Decisions about cyber are increasingly being taken at the board level, which reflects a significant, positive culture shift amongst FTSE 350s since the launch of the scheme.

"However, cyber maturity among FTSE 350s needs to improve at a faster rate to ensure we can stay ahead of future cyber security challenges. This year’s report shows that a small number of FTSE 350 businesses are continuing to operate without plans in place for managing cyber incidents. This is increasingly irresponsible. Furthermore, as we approach the deadline to introduce new regulation such as the General Data Protection Regulation, businesses should continue to prepare themselves for the responsibilities that come with these new requirements."