'Worrying number' of UK businesses unprepared for cyber attacks, says IoD

Out-Law News | 29 Mar 2017 | 9:53 am | 2 min. read

A "worrying number" of UK businesses do not have a plan in place for dealing with a cyber attack should they experience one, the Institute of Directors (IoD) has said.

In a new report (22-page / 2.07MB PDF), the IoD, which represents business leaders, shared the results of a survey it carried out into UK businesses' approach to cybersecurity.

The IoD said just 56% of businesses confirmed that they "have a formal cybersecurity strategy", and 40% of respondents said they are not sure who to contact in the event that they fall victim to online fraud.

James Jarvis, corporate governance analyst at the IoD, said that responsibility for addressing cyber risk should sit with a company's board, and that it is important that there are "tech-savvy" people on the board.

"Cyber security is of such critical importance to modern companies that it should clearly be viewed as a principal risk to business," Jarvis said. "Responsibility therefore for outlining a prevention strategy should fall to the board. While a company’s tech team is clearly best equipped to deal with an issue should it arise, the strategy guiding them falls to the board to dictate. This can and should be done with the support of senior IT staff so that the board is fully equipped to set such strategy."

"Executive directors should realise the importance of having tech-savvy NEDs on their boards not just to ensure that there is a degree of expertise informing strategy in relation to cyber security but to also allow the organisation to capitalise on the constantly developing opportunities presented by the digital revolution," he said.

In its report, the IoD highlighted the EU's General Data Protection Regulation (GDPR) as legislation that businesses in the UK need to prepare for. The GDPR will apply from 25 May 2018 and the UK government has confirmed it will adopt the Regulation despite moving forward with plans to exit the EU.

In a speech at the IoD's conference in London, the UK's digital minister Matt Hancock said it is "crucial all organisations understand what data they have and ensure it is protected appropriately" in light of the new requirements set out in the GDPR.

The IoD said the UK government must do more to advertise guidance for businesses on compliance with the GDPR. The UK's Information Commissioner's Office (ICO) has already issued some general guidance on the new Regulation and is currently consulting on draft guidance on consent under the GDPR.

Marc Dautlich, data protection law expert at Pinsent Masons, the law firm behind Out-Law.com, said that one of the major changes that the GDPR will bring is a requirement on businesses to disclose major data breaches.

"Today, many personal data breaches in the UK go unreported by businesses," Dautlich said. "In jurisdictions that already have mandatory breach reporting requirements, such as the US, unprepared directors have found themselves losing their job after a breach for failing to give adequate attention to the issue, and therefore letting down their stakeholders, damaging their business’s reputation, and exposing it to regulatory and legal sanctions."

"The mandatory requirement to report security breaches will bring an increased risk of quasi ‘class action’ lawsuits in the UK. Furthermore, negative publicity tends to drive regulators to use their powers in a more robust way: under General Data Protection Regulation they will have power to award substantial fines to UK businesses," he said.