Cybersecurity is a growing priority for company directors in the UK but that may not be translating into improvements in their business’ cyber resilience, according to a new study.
The results of the UK government’s cybersecurity breaches survey 2022 show that 82% of boards or senior management within UK businesses rate cybersecurity as a ‘very high’ or ‘fairly high’ priority, up from 77% in 2021. However, the government said interviews it had conducted with organisations “suggest a number of challenges about how to translate board engagement with cybersecurity into increased cyber resilience amongst businesses”.
Julia Varley
Senior Associate
It is vitally important that organisations take appropriate steps to become ‘cyber-ready’ in order to put themselves in a better position to respond to an incident quickly
In the study, the government surveyed 1,243 UK businesses, 424 UK registered charities and 420 education institutions between 16 October 2021 and 21 January 2022. It carried out a further 35 in-depth interviews with organisations it had surveyed.
The survey found that 54% of businesses have acted in the past 12 months to identify cybersecurity risks, taking a range of actions like applying technology to monitor for security threats. However, the interviews revealed that there is often “limited board understanding” of cyber risks and that reliance is often placed on third party cybersecurity providers, internal cybersecurity experts or insurance companies to manage the risks businesses face.
The government said: “Organisations spoke of challenge around creating a clear commercial narrative that can be used in internal budget conversations, to ensure that cybersecurity is given appropriate investment against other competing business demands. There is a lack of understanding of what constitutes effective cyber risk management, which is compounded by a lack of expertise and perceived complexity of cyber security matters at board level.”
The government’s study revealed that there are gaps in many organisations’ cybersecurity.
Mapping against the National Cyber Security Centre’s ’10 steps’ guide to cybersecurity, the government found that just 29% of businesses train staff or undertake mock exercises to test susceptibility to ‘phishing’ attacks – the most common form of cyber attack recorded by the survey.
Other notable findings include the fact that only 19% of businesses have a formal incident response plan for managing cyber incidents, while just 14% of businesses surveyed said they monitor risks from suppliers or the wider supply chain despite the fact that hackers are increasingly looking to suppliers for access to corporate systems and data.
The study found that 43% of UK businesses have an insurance policy in place that insures them against cyber risks. A minority of medium and large-sized companies have specific cyber insurance policies – most businesses with cyber insurance benefit from cover within more general policies, according to the survey report.
The study also found rising concern among the business community about the risk of ransomware but that in many cases insurers have either raised premiums to account for ransomware payouts or excluded such payouts from the scope of their policies over the past year.
Of the businesses surveyed. 39% said they had identified a cyber attack on their organisation in the previous 12 months.
Separate data obtained from the UK’s Financial Conduct Authority (FCA) by cybersecurity provider Picus Security found that the number of material cybersecurity incidents reported to the FCA by financial institutions in 2021 was up more than 50% on the number of such incidents reported in 2020. Almost two-thirds of the incidents reported were cyber attacks and 20% of cases were ransomware attacks.
“The threat of a cyber attack has increased significantly in the last few years,” said cyber risk expert Julia Varley of Pinsent Masons. “It is vitally important that organisations take appropriate steps to become ‘cyber-ready’ in order to put themselves in a better position to respond to an incident quickly. This includes having an established internal procedure in place which has been rehearsed.”
Pinsent Masons has developed a proprietary cyber readiness product, Cyturion to assist clients to develop or augment their cyber response plans. Pinsent Masons’ Human Cyber Index further provides clients with in-depth analysis of their employee's information and cybersecurity behaviours to enhance their efforts in mitigating cyber risk and protecting their organisation.