IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Most business leaders only prioritise cyber security after a major breach, report finds

UK government research on hacked UK businesses revealed a general lack of engagement from board members and senior management on security matters

Businesses have reported that senior leadership teams only begin to appreciate cyber security once the business has sustained a “serious” attack.

The observations of “numerous” businesses were revealed in a policy paper, published today by the Department for Culture, Media, and Sport (DCMS), which investigated the experiences of cyber attacks on UK businesses.

Half of the participants involved in the interviewing process conducted by the DCMS said senior leaders recognised that cyber security threats were real only after the business had been attacked.

Common observations among businesses were that senior leaders were not as engaged with security as a priority and some didn’t fully understand the scale of the threats or the cultural transition required to meet the growing challenge.

Senior management and board members became markedly more engaged with cyber security as a result of their respective breaches and have since “demonstrated more serious intent” to improve the organisation’s cyber posture, though.

The improvements were observed across all different types of businesses that spoke to the DCMS as part of its research.

The government department said it heard from ten businesses of varying sizes and degrees of IT maturation, most of which operated across different sectors too. The only commonality shared between them was that they all suffered serious cyber incidents in the four years before the research.

The general manager and IT manager at one smaller private organisation (10-49 employees) said the breach it suffered made the organisation “more vigilant” at senior management level.

This heightened vigilance allowed both managers to get immediate sign-off from the board when it came to contracting a new IT provider. This came after the previous company was blamed for a slow response to an attack which saw an email intercepted and client funds were stolen.

For a very large private organisation with more than 250 employees, its head of the cyber security operations centre (HSoC) said its breach brought cyber security to senior leaders’ attention since the company had become “a victim of its own success”.

It had never before experienced a major incident because its protections had always been so effective, the HSoC said, but the smishing attack prompted additional services to be purchased and internal awareness campaigns to be launched.

Other large organisations also reported that the business was not interested in what the IT teams were doing to remain safe from cyber threats but awareness was only sharpened post-attack. 

Before the incident, the Chief Security Officer (CSO) at a separate larger private company also said “I had 100% support of the Board and then post-breach it was 110% support… I would say this one helped accelerate the delivery of a lot of elements of my programme”.

Related Resource

Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency

Whitepaper cover with title over a grey rectangle with header graphic and ESG logoFree Download

Despite a tumultuous half-decade in cyber security, in which time ransomware began to proliferate and dominate the threat landscape, the DCMS report also found IT teams also still struggle to quantify the financial impact of breaches as well as convince senior leaders to engage with the issues. 

Businesses generally strengthened their defences after their respective attacks in the form of new security products, policies, or staff training. However, the DCMS observed that “very few” developed a list of ‘lessons learned’ that could be used to support the development of future security programmes.

Most businesses acknowledged the industry’s received wisdom that people are often the so-called cyber security weak link, but prioritised spending on new security tools rather than internal awareness training. 

The common justification among businesses was that these tools would help their people do the right thing and make better decisions as a result.

Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download

Most Popular

Why collaboration is key to digital transformation

Why collaboration is key to digital transformation

13 Sep 2022
Anonymous hacks Iranian government and state broadcasters
cyber attacks

Anonymous hacks Iranian government and state broadcasters

22 Sep 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022