Most of the UK's top businesses are underprepared for new data protection rules, while 10 per cent have no response plan for a cyber attack, according to a government survey.
This year's annual cyber governance health check (PDF) asked FTSE 350 companies about both their cyber security and data protection measures – the latter being a new introduction for the 2017 report.
It found that 10 per cent of businesses don't have a plan in place for a cyber incident – which the government noted should be addressed as soon as possible, "given that their organisations are likely to be subject to regular attempts at cyber breaches owing to their high-profile status".
Meanwhile, a quarter of boards said they have no defined role in a company-wide response to an attack – but 68 per cent said the board had no received any incident training.
The survey did find, however, that cyber risk is now seen as a top or group-level risk for most (54 per cent) of company boards – although 13 per cent still ranked it as a low, or operational-level, risk.
Just over half of company boards said they set their business's appetite for cyber risk – up from a third in last year's survey – and 50 per cent said the board does review and challenge reports on the security of customers' data.
The number of boards that believe they have a clear understanding of the impact of a cyber attack was also higher this year, rising from 49 per cent to 57 per cent.
The survey also posed a set of questions about May 2018's EU General Data Protection Regulation, which found that 97 per cent of the UK's top firms had heard at least heard of the new rules.
However, most responses indicated that it is not classed as a board-level concern: only 13 per cent said they regularly consider GDPR at board level.
Just 6 per cent of businesses said they were completely prepared for GDPR, but almost three-quarters said they considered themselves "somewhat" prepared.
When asked what their biggest concerns were about the new laws, two areas topped the list: the requirement that companies delete a person's data and the tightening of the consent requirements.
Although experts in data sanitisation have previously told The Reg that companies should expect data deletion terms to be tougher than anticipated, the UK's data watchdog has taken aim at overhyped concerns about consent in a "myth-busting" article published last week.
Indeed, the government recommends in the cyber health report that businesses consult the Information Commissioner's Office's guidance. ®