Most business leaders only prioritise cyber security after a major breach, report finds

A woman and two men having an important business discussion
(Image credit: Shutterstock)

Businesses have reported that senior leadership teams only begin to appreciate cyber security once the business has sustained a “serious” attack.

The observations of “numerous” businesses were revealed in a policy paper, published today by the Department for Culture, Media, and Sport (DCMS), which investigated the experiences of cyber attacks on UK businesses.

Half of the participants involved in the interviewing process conducted by the DCMS said senior leaders recognised that cyber security threats were real only after the business had been attacked.

Common observations among businesses were that senior leaders were not as engaged with security as a priority and some didn’t fully understand the scale of the threats or the cultural transition required to meet the growing challenge.

Senior management and board members became markedly more engaged with cyber security as a result of their respective breaches and have since “demonstrated more serious intent” to improve the organisation’s cyber posture, though.

The improvements were observed across all different types of businesses that spoke to the DCMS as part of its research.

The government department said it heard from ten businesses of varying sizes and degrees of IT maturation, most of which operated across different sectors too. The only commonality shared between them was that they all suffered serious cyber incidents in the four years before the research.

The general manager and IT manager at one smaller private organisation (10-49 employees) said the breach it suffered made the organisation “more vigilant” at senior management level.

This heightened vigilance allowed both managers to get immediate sign-off from the board when it came to contracting a new IT provider. This came after the previous company was blamed for a slow response to an attack which saw an email intercepted and client funds were stolen.

For a very large private organisation with more than 250 employees, its head of the cyber security operations centre (HSoC) said its breach brought cyber security to senior leaders’ attention since the company had become “a victim of its own success”.

It had never before experienced a major incident because its protections had always been so effective, the HSoC said, but the smishing attack prompted additional services to be purchased and internal awareness campaigns to be launched.

Other large organisations also reported that the business was not interested in what the IT teams were doing to remain safe from cyber threats but awareness was only sharpened post-attack.

Before the incident, the Chief Security Officer (CSO) at a separate larger private company also said “I had 100% support of the Board and then post-breach it was 110% support… I would say this one helped accelerate the delivery of a lot of elements of my programme”.

RELATED RESOURCE

Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency

FREE DOWNLOAD

Despite a tumultuous half-decade in cyber security, in which time ransomware began to proliferate and dominate the threat landscape, the DCMS report also found IT teams also still struggle to quantify the financial impact of breaches as well as convince senior leaders to engage with the issues.

Businesses generally strengthened their defences after their respective attacks in the form of new security products, policies, or staff training. However, the DCMS observed that “very few” developed a list of ‘lessons learned’ that could be used to support the development of future security programmes.

Most businesses acknowledged the industry’s received wisdom that people are often the so-called cyber security weak link, but prioritised spending on new security tools rather than internal awareness training.

The common justification among businesses was that these tools would help their people do the right thing and make better decisions as a result.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.