The majority of board members at Britain’s biggest public companies have received no training in how to handle a cyber attack despite it rapidly rising up the business agenda, according to a new survey.
Some 68 per cent of board members in the FTSE 350 said they have not been trained in responding to a cyber attack, according to the research by accountants KPMG on behalf of the government.
While a tenth of FTSE 350 firms do not have a plan in place to deal with cyber incidents, the proportion of businesses that describe it as a top risk has almost doubled in the last three years to reach 54 per cent.
Yet only two per cent of board members said they had received “comprehensive” training, despite the fact that cyber risk has risen rapidly up the agenda after a spate of high-profile hacks and data leaks.
In June victims of the so-called Petya hack, which originated from an attack on Ukraine, included FTSE 100 advertising giant WPP and Danish shipping group Maersk, which saw share prices fall. Other notable British-linked firms to suffer from costly hacks are telecoms firms Talktalk and Telefonica, owner of O2.
The Petya hack followed close on the heels of May’s Wannacry virus which disabled large parts of the National Health Service computer infrastructure.
“Recent cyber attacks have shown the devastating effects of not getting our approach to cyber security right,” said Matt Hancock, minister for digital. “We have a long way to go until all our organisations are adopting best practice and I urge all senior executives to work with the National Cyber Security Centre and take up the government’s advice and training.
Understanding of the potential impacts from hacks has increased quickly over the past year, according to the survey, but only 57 per cent of businesses have a clear understanding of the damage that can be be wrought.
Lack of preparation for a hack can cost firms large amounts of time and money, according to Paul Taylor, UK head of cyber security at KPMG. He said: “While cyber security has cemented itself onto the board’s agenda, they often lack the training to deal with incidents.”