Survey reveals 32% of C-Suite have no response plan for cyberattacks or don’t know if they have one

Nearly a third of C-Level directors surveyed across the UK (32%) either do not have a response plan in place to manage a cyber-attack on their business, or they are not sure whether they do.

That’s the finding of a new poll of 250 C-suite members in organisations with more than 50 staff. The survey was carried out by Maidenhead, UK-based Axial Systems in the first quarter of 2017.

Mike Simmonds, managing director Axial Systems commented: “Businesses are starting to wake up to all the messages we see out there in the marketplace around cyber-preparedness. However, our survey reveals that there is much more work to do. Every organisation should have some sort of a cyber response plan in place – and senior directors within a business should certainly be aware of whether or not such a plan has been prepared. That’s clearly not the case currently.”

Mike Simmonds

In line with this, the survey found that even those directors who said they did have a response plan struggled to provide much detail around it. Many respondents gave basic answers, unlikely to constitute a sufficient response to a real attack such as ‘we have back-up help’ or we ‘keep firewalls and anti-virus up-to-date’. Some expressed a lack of knowledge of the process, while others argued that they ‘have a team to handle it’ or that they ‘call in an expert’.

The Axial survey indicates that part of the issue for the C-suite may be a lack of dedicated support from within the organisation. More than half (52%) of C-level respondents said that cyber-security is the role of the IT department. In total, just 35% said there was a separate security department in place but significantly less than half of those respondents said that that department was headed up by a dedicated chief security officer (CSO) or chief information security officer (CISO).

“This chimes with our own experience in engaging with businesses at Axial,” added Simmonds. “IT departments will inevitably be a distracted by a host of other challenges which will make it difficult for them to focus sufficient time and expert resource on security issues. By not having a dedicated security team, organisations are potentially putting themselves at even greater risk.”

The survey also reveals that C-level directors themselves sometimes fail to lead by example. Levels of ‘transgression’ with regards to personal use of business data appear to be much higher among senior directors than among office workers generally.

Paul Brett

In all, 45% of the C-level sample admitted to having stored company data on a home computer. This compares with just 14% of office workers surveyed in a parallel poll conducted by Axial (also employees of organisations with over 50 staff) confess to having done the same. Similarly, 18% of office workers said they had ‘sent work data to personal devices for easy access’ – just underhalf the proportion of senior directors (41%) admitted to doing this.

The survey raises concerns whether those at the top of business are really passing on the message around key security concerns and best practice approaches to more junior employees. 50% of office workers have not received any training at all on IT/cyber-security since joining their current business – and many lack a clear understanding of their business’s security policies around IoT and GDPR.

Given this backdrop, it is perhaps unsurprising there is so much speculation across the business world about how well prepared businesses are for General Data Protection Regulations (GDPR). Just 17% of the C-level sample in the survey think their organisation is fully prepared and there is good reason for that low figure.

Many employees are not well versed in the implications, dedicated security teams are in short supply, and perhaps most concerning of all, says Axial, more than a quarter (26%) of C-level directors said their businesses did not have a Data Protection Officer (DPO) in place – even though having one is, in many cases, a mandatory requirement of the pending GDPR regulations.

Cal Leeming

Head of Sales at Axial Systems, Paul Brett, commented, “Prevention is always better than cure when it comes to cyber-breaches. It is always cheaper to solve the problem up front as opposed to afterwards. After the event, you will have to pay for a new solution anyway but you are also likely to have to deal with loss of revenue, loss of customers, reputational damage and maybe even share price impact. Depending on the nature of the breach, it may take years for the business to recover, if indeed it ever does.“

Cal Leeming, CEO at Lyons Leeming said, “GDPR was designed really as a ‘minimum specification’. We have to really remember that. It’s not the case that the regulation is something that we should aim for. It’s more about the authorities stating that this is really the base level standard and if you are more than a ‘hair’ off this, you are going to get sanctioned. What organisations should really be saying is here is our baseline, let’s try to exceed that, lets excel. You’d hope that every company and every CEO or business owner will always do that; will always say: ‘we are going to go above and beyond’. In reality, of course that’s not the case.”

“It took me four years training as an engineer and then more by excellent mentors on the business side before I fully understood the business implications of cyber-threats. That’s key because cyber-security is not a technical problem, it’s a business risk problem.

The volume of cyber-security breaches that we see in the market today is starting to desensitive people to the gravity of these incidents. That’s a big issue. People are just so used to hearing news stories about leaks that they are increasingly unaffected by them.”

Jason Hart

According to Jason Hart, CTO for the Enterprise & Cyber Security division of Gemalto, “The business as a whole should own information security not the IT department. It should be a board level responsibility. They should be pushing down the requirements and then making individuals accountable. IT are there to implement the procedure or the control and manage it. They are not there to police it.”

Hart added, “Security ultimately needs to be transparent to the individual user. We are a long way from that point today. But there are hopeful signs. The onward march of AI (artificial intelligence) and behavioural analytics is helping drive the process and the move to cloud and microservices will help to accelerate it.

Looking to the future, however, if this it to be sustained, we need to see more collaboration between technology vendors and cloud providers and vendors need to make security simpler and easier for users.”

“Security training within businesses today is essentially not working. There needs to be different types of training for different types of individuals within the organisation. More importantly, the training needs to highlight the potential impact of security breaches to specific individuals. Training must never be conducted in isolation. The learning points need to be aligned with the business culture of the organisation.”

“I’ve been involved in GDPR for a number of years. The bottom line is people are still very confused about the regulation. They feel it is complicated. They don’t understand what it is trying to achieve. People often say ‘Well, I’m PCI compliant; I have ISO 27001 certification. I don’t understand the linkage or the additional need.’ Most people I speak to are not even aware that GDPR is coming downstream. So I think as UK PLC, we have done quite a bad job of getting the message out there,” Hart concluded.

Comment on this article below or via Twitter: @IoTNow OR @jcIoTnow


SiTime expands addressable market with its new precision timing solution for autonomous vehicles

Posted on: September 30, 2022

Santa Clara, United States. 27 September, 2022 – SiTime Corporation, a provider in precision timing, introduced a new automotive oscillator family, based on SiTime’s advanced MEMS technology. The new differential oscillators are 10x more resilient and ensure reliable operation of ADAS across extreme road conditions and temperatures. The launch of the new automotive oscillator, AEC-Q100 SiT9396/7,

Read more

Semtech’s LoRa devices featured in Kiwi Technology gas metering solution

Posted on: September 30, 2022

Camarillo, United States. 29 September, 2022 – Semtech Corporation, a global supplier of high performance analog and mixed-signal semiconductors and advanced algorithms, announced that Kiwi Technology, an advanced internet of things (IoT) turn-key solutions and data analytics provider, is using Semtech’s LoRa devices for its new third party class B network control unit (NCU) that connects gas meters

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more
IoT Newsletter

Join the IoT Now online community for FREE, to receive: Exclusive offers for entry to all the IoT events that matter, round the world

Free access to a huge selection of the latest IoT analyst reports and industry whitepapers

The latest IoT news, as it breaks, to your inbox