UK organizations are unprepared for cyber-attacks, lack visibility into threats and aren’t doing enough to collaborate internally and externally, according to PwC.
The professional services giant’s Global State of Information Security Survey 2018 polled 560 executives from UK companies and public sector organizations of all sizes.
Over a quarter (28%) claimed they didn’t know how many attacks their organization had suffered over the past year while a third (33%) said they didn’t know how the attacks had occurred.
What’s more, 17% admitted to not running any kind of preparatory cyber-drills and less than half (49%) conduct vital pen tests.
Bharat Mistry, principal security strategist at Trend Micro, was surprised at this lack of preparedness.
“The last thing you want when you have a breach is for staff to be reading the breach response handbook and trying to figure out who should do what. In fact, I would say if you haven’t tested your breach response plan, then it’s not worth the paper it written on,” he told Infosecurity.
“With the looming deadline of GDPR and the consequential fines for breaches of personal data it’s now more imperative than ever to make sure that you not only have a plan but it’s tested and effective to ensure compliance."
The bad news doesn’t end there. Less than half (44%) collaborate with peers in the industry compared to 58% globally, and not many more (53%) form cross-organizational teams featuring finance, legal, risk, HR and IT execs to regularly discuss and strategize over security issues.
“Cybersecurity needs to be viewed as a ‘team sport’ rather than just an issue for the IT team,” said partner Richard Horne. “To be most effective, everyone in an organization should be considering the security implications of their actions. Pulling a business together like that requires strong leadership from the top.”
Perhaps unsurprisingly given the above, there is a general lack of interest in cybersecurity at board level. Just 34% said board members actively participate in strategy, versus 44% worldwide.
UK organizations are also holding back on insurance: only 44% said they had a policy in place compared to 58% globally.
Yet firms are experiencing serious repercussions. UK organizations faced 19 hours of downtime from security incidents during the reporting period, 21% had internal records lost or damaged, 20% had employee records compromised and 23% saw customer records stolen.
The latter in particular bodes badly for GDPR compliance.
Targeting employees is the most common way of attacking a UK firm, up from 20% to 27% in this report, while mobile device breaches (29%) were top globally.
On the plus side, 64% of respondents said they had an overall security strategy in place and over half (53%) agreed that spending is based exclusively on risk. However, average budgets have been slashed from £6.2m to £3.9m.