Cyber attacks and the GDPR: businesses aren’t prepared
Britain’s top firms and charities urgently need to do more to protect themselves from online threats, according to new Government research.
Undertaken in the wake of recent high profile cyber attacks, the survey of the UK’s biggest 350 companies found more than two-thirds of boards had not received training to deal with a cyber incident (68%) despite more than half saying cyber threats were a top risk to their business (54%).
One in ten FTSE 350 companies said they operate without a response plan for a cyber incident (10%) and less than a third of boards receive comprehensive cyber risk information (31%).
Minister for Digital, Matt Hancock, said:
“We have world leading businesses and a thriving charity sector but recent cyber attacks have shown the devastating effects of not getting our approach to cyber security right.
“These new reports show we have a long way to go until all our organisations are adopting best practice and I urge all senior executives to work with the National Cyber Security Centre and take up the Government’s advice and training.”
There has been progress in some areas when compared with last year’s health check, with more than half of company boards now setting out their approach to cyber risks (53% up from 33%) and more than half of businesses having a clear understanding of the impact of a cyber attack (57% up from 49%).
The Government is fully committed to defending against cyber threats and a five-year National Cyber Security Strategy (NCSS) was announced in November 2016, supported by £1.9bn of transformational investment. This includes opening the National Cyber Security Centre and offering free online advice as well as training schemes to help businesses protect themselves.
The 10 Steps to Cyber Security guide sets out a comprehensive framework to help company boards manage cyber risks, from getting the basics right through to protecting their most critical assets, and the Cyber Essentials scheme sets out the technical basics all companies should have in place.
The Government has also announced proposals on how to help the nation’s essential industries be more resilient to cyber threats through the NIS Directive.
Separate new research looking at the cyber security of charities has also been published. It found charities are just as susceptible to cyber attacks as businesses, with many staff not well informed about the topic and awareness and knowledge varying considerably across different charities. Other findings show those in charge of cyber security, especially in smaller charities, are often not proactively seeking information and relying on outsourced IT providers to deal with threats.
The FTSE 350 Cyber Governance Health Check is the Government’s annual report providing insight into how the UK’s biggest 350 companies deal with cyber security.
The Government will soon be introducing its new Data Protection Bill to Parliament. With this coming into effect next May, implementing the General Data Protection Regulation (GDPR), the report for the first time included questions about data protection.
The new data protection law will strengthen the rights of individuals and provide them with more control over how their personal data is being used.
The report found:
- awareness of GDPR was good, with almost all firms (97%) aware of the new regulation;
- almost three-quarters (71%) of firms said they were somewhat prepared to meet the GDPR requirements, with only 6% being fully prepared;
- just 13% said GDPR was regularly considered by their board; and
- 45% of boards say they are most concerned with meeting GDPR requirements relating to an individual’s right to personal data deletion.
The Information Commissioner’s Office has produced guidance for organisations on implementing the Regulation, including a checklist for businesses on the actions they need to take; and a series of interactive workshops and webinars.
The ICO will also produce guidance for organisations about the responsibilities under the GDPR and individuals on their rights under the GDPR. The Department for Digital, Culture, Media and Sport will continue to work closely with the Information Commissioner’s Office (ICO) during this transitional period.