A UK government report highlighting a significant lack of understanding among directors of FTSE 350 companies of how cyber attacks can hit businesses has been dubbed “alarming” by a cyber security professional.

The Government report, published today, found only 16% of boards have a full understanding of the impact from and disruption associated with cyber attacks, despite 96% having an established cyber security strategy.

“It’s alarming to see that the boards of the UK’s biggest businesses don’t understand the impact of cyber attacks, especially given that the impact of a serious attack is absolutely proven to impact revenue, reputation and even individual jobs,” said Jason Hart, CTO of Data Protection at Gemalto and former ethical hacker, in response to the report.

Furthermore, the report found that while 95% have a plan in place to respond to cyber attacks, only 57% regularly test it, meaning for many it is likely to prove ineffective in the event of a real incident.

“Of course these organisations will have a cybersecurity strategy in place, but if the business doesn’t understand it – let alone test it – it may as well not be there,” added Hart.

While the situation is still poor, it is an improvement from the UK government’s report from 2017.

Some 72% of boards now acknowledge the risk of cybersecurity threats is high, compared to only 54% in the previous year.

“This report shows that we still have a long way to go but I am also encouraged to see that some improvements are being made,” UK digital minister Margot James said.

“Cyber security should never be an add-on for businesses and I would urge all executives to work with the National Cyber Security Centre and take up the Government’s advice and training that’s available.”

Given the damning impact a cybersecurity incident can have on an organisation, it is imperative company boards do more, James argued.

“We know that companies are well aware of the risks, but more needs to be done by boards to make sure that they don’t fall victim to a cyber attack,” said James.

This is not just a matter of growing understanding, but also ensuring the right people are present at board level.

“They must ensure that business strategy is closely aligned to the cybersecurity strategy by ensuring CISO, or equivalent, representation at the highest level – the boardroom,” Hart said.

“The CISO must, in turn, be situationally aware of the threat landscape, what needs to be protected and have an understanding of how businesses work in order to be effective.

“On the other hand, business leaders such as the CEO must understand the value of cybersecurity to their business, as it is ultimately their responsibility should a breach occur. Until this balance is achieved UK businesses can’t expect things to improve.”

This article was originally published on our sister title https://www.verdict.co.uk/