Only half (56%) of UK firms have a strategy in place to protect devices and data from cyber-threats, according to a new report from the Institute of Directors and Barclays Bank.
A survey of 844 IoD members found that while nearly all (95%) said they consider cybersecurity to be important to their business, they aren’t following through with practical steps to lower online risk.
Less than a third use virtual private networks (VPNs), for example.
What’s more, if their business became a cyber-attack victim, less than half (40%) would know who to contact.
This is especially important given that new European data protection rules set to land in May 2018 will mandate 72-hour breach notifications to the local supervisory authority – in the UK’s case, the Information Commissioner’s Office (ICO).
The IoD study also revealed that less than half of respondents (44%) had funded cyber-awareness training and many leave gaps of over a year between programs.
The ICO last week urged local councils – liken their counterparts in the private sector – not to forget to train temporary staff, and to conduct annual refresher training for all employees.
On the plus side, the report found that two-thirds of respondents now use a variety of different passwords, minimizing their risk exposure, and nearly three-quarters have processes in place to verify the authenticity of inbound electronic invoices or payment requests.
Richard Brown, director of EMEA channels & alliances at Arbor Networks, said he was shocked by some of the report's findings.
“Attack methodologies are evolving by the day and as such, it is no longer acceptable for businesses to be complacent about their cybersecurity strategy,” he added.
“Businesses must take the fight to cyber-criminals with improved intelligence sharing and better co-operation with law enforcement. Organizations should also instrument their internal networks so that they have broad and deep visibility of network traffic, threats and user behavior.”