show image

Two in three FTSE 350 bosses have no cyber attack training

Two in three executives at Britain’s biggest firms have not been trained to deal with cyber attacks, new government research reveals.

This is despite more than half of firms (54 per cent) saying that cyber threats represent one of the biggest risks to their businesses.

The survey of 105 FTSE 350 companies also revealed that one in ten do not have a plan for dealing with the fallout of a cyber incident.

Digital minister Matt Hancock said recent cyber attacks had illustrated the devastating effects of failing to adopt an effective cyber security strategy.

“[The cyber health check] shows we have a long way to go until all our organisations are adopting best practice,” he added.

WannaCry malware sent shockwaves through the cyber security industry in May when it paralysed parts of the NHS and thousands more organisations.

Just weeks later, another type of malware, NotPetya, hit the headlines after it struck some of the world’s biggest companies, including British ad giant WPP.

This year’s cyber health check does reveal some signs of progress. The percentage of boards setting out their approach to cyber security, for example, has risen from 33 per cent to 53 per cent in the last 12 months.

The publication of the research comes as the government is preparing to introduce its new Data Protection Bill to parliament.

It will give citizens the right to ask companies to delete their personal data, lets the ICO issue fines of up to 4 per cent of a company’s turnover and introduces the EU’s new General Data Protection Regulation (GDPR) into UK law.

GDPR comes into effect in May next year. The government’s research found that just 13 per cent companies’ boards regularly consider the regulation. Nevertheless, 71 per cent said they were somewhat prepared for it.

Phill Everson, head of risk services at Deloitte, which helped conduct out the report, said: “Cyber breaches will have to be reported within 72 hours under General Data Protection Regulation (GDPR). This is significantly sooner than the period that many companies have historically alerted customers, which often runs into many months.

“As hackers become increasingly more sophisticated, companies will have to ensure that staff training and technology stays ahead of the evolving cyber threat to respond in a timely and effective manner.”