When it comes to managing cybersecurity, the approach from leadership within the business is vital. In the UK, there currently appears to be a lack of engagement in the persistence that is needed for preventative measures. According to a new report from the Department for Digital, Culture, Media & Sport (DCMS), half of businesses aren’t responding to cyber threats until it is too late.
The government department recently published a policy paper entitled “Exploring organisational experiences of cyber security breaches”, which outlined the findings of the DCMS’s qualitative study on the level of cybersecurity measures organisations have in place, before and after a data breach. Ten organisations were included in the study, all of which have experienced cyber breaches in the last four years. The organisations’ IT personnel along with various members of staff, were interviewed on their thoughts about how their businesses handled the incidents.
Out of the 10 case studies surveyed, the DCMS found several key findings:
Lack of vigilance and preparation
In response to increasing levels of cyber risk, almost 100% of participants agreed that there was a need for greater levels of vigilance and investment in adequate cybersecurity. However, while larger and medium organisations reported to have formal plans in place and budget allocated for cybersecurity investment, a substantial number of smaller organisations said they do not, citing resource constraints. This has lead to small businesses’ responses to growing cyber threats appearing to be reactive rather than proactive.
Most surveyed staff indicated that their leadership were compliant and aware of the importance of investing in cybersecurity, not all were sure that their leadership teams fully grasped the ‘scale of the threat’, or the ‘cultural transition’ needed to meet the growing challenge.
Weak utilisation of cybersecurity technology
Most of the staff acknowledged that their organisations put more emphasis on technology than employees to stay secure. Technology was described by some as a tool to ‘help people do the right thing’. This underlines the notion that employees and their work culture are posing more of a cybersecurity ‘weak spot’ than the technology being used at their organisation.
Attacks resulting in action
On the positive side, the survey found that the breaches demonstrated the severity of cyberthreats to leadership. Many of the organisations were observed to have become engaged in their cybersecurity challenge post-breach and have since proved more serious intent towards improvement.
Weighing up the consequences
Few organisations attempted to accurately quantify and review the financial impact of the breaches suffered. Similarly, few among the organisations implemented a ‘lesson learned’ process in the aftermath of a breach.
Conclusively, the findings further establish the importance of preventative measures against cyber threats and the weight of the aftermath for organisations if actions are taken too late. Adequate leadership and staff training in cybersecurity technology is just as important as the technology itself, and businesses are suffering further losses, without competence in understanding the severity of cyber threats emerging.