A recent survey conducted by norm. has revealed that business and technical leaders within UK organisations have differing levels of confidence in their organisations ability to protect itself against cyber threats. Over 92.5% of business leaders are either reasonably or very confident, with that number dropping to 80.7% amongst technical respondents. Almost a fifth of technical leaders stated that they are not very confident.
This trend continued when both groups were asked how confident they are in their users’ ability to help mitigate cyber risks – although levels of confidence overall were lower in both groups. While almost three quarters (73%) of business leaders stated that they are either reasonably or very confident, over a third (38.5%) of their technical counterparts said that they are either not very or not at all confident.
When asked about cyber preparedness, one in four business leaders told us that their organisations either do not have a plan to respond in the event of a cyber incident – or they don’t know if they do. This number rises to over 40% amongst technical respondents – a disturbingly high number given that most organisations will fall victim to a cyber incident at some point.
We also asked survey respondents to tell us what they believe the greatest barrier to building cyber resilience is for UK organisations. 40% of business leaders disclosed that the greatest barrier within their organisations is either a lack of understanding of cyber risk at the Board level, or the fact that it is not seen as a priority by them. In contrast, almost a quarter (23.1%) of technical leaders cited lack of budget as their main challenge, with lack of understanding of cyber risk by the Board coming a close second with almost a fifth (19.2%) of the vote.
One area of consistency between the two groups of respondents was whether or not their organisations are asking third party partners and suppliers to prove that they have adequate cyber security controls in place. Three quarters of business leaders stated that they do, and almost the same number (73.1%) of technical leaders said the same.
According to both groups, the most common cyber security budget bracket is £1 – £50,000 per annum with the majority of those respondents representing midsize organisations. However, a greater variance in budget was reported by the technical group with almost a quarter (23.2%) claiming a budget of between £200,001 and £500,000 and almost a fifth (19.2%) with a budget of between £50,001 and £100,000. It also looks as though budgets will not be rising by much – if at all – in 2022 as an overwhelming majority of both groups (77.5% of business leaders and 73.2% of technical leaders) told us that they either have no plans to increase cyber security budgets or that they will rise by a modest 1 – 25%.
When asked to tell us what the primary driver behind their cyber security strategy will be in 2022 both business and technical respondents cited internal recognition of the threat as the main source coming in at 62.5% and 50% respectively. In second place – also for both groups – were requirements from customers and trading partners.
Looking ahead to the specific types of cyber threat that organisations are most concerned about, it is no surprise to see ransomware topping the list for both business and technical leaders with 37.5% and 46.2% of the vote respectively. Spam and phishing are also still pretty high on the agenda with a quarter of business leaders citing it as the primary cyber threats and just less than a quarter (23.2%) of technical leaders saying the same.
Finally, we asked whether UK organisations are better equipped to mitigate cyber risk now than they were 12 months ago. While in both groups almost two thirds of respondents believe that UK organisations are better equipped to mitigate cyber risk now than last year, the flipside of this is that over a third of all respondents believe that organisations are either worse equipped or haven’t improved at all.
Pete Bowers, COO at norm., summarises “What this research reveals is a significant difference in levels of confidence amongst business leaders when compared to their technical counterparts. With technical teams bearing the brunt of responsibility for managing cyber risk in most companies, it is feasible that their perspective is closer to the reality. This means that business leaders are either overestimating their level of cyber resilience or that they don’t have the visibility they need to make an accurate judgement – or both. This inability to assess whether cyber security controls are actually making a demonstrable impact is further borne out by the fact that 40% of business leaders state that the greatest barrier to building cyber resilience is a lack of understanding and prioritisation by the Board.” Pete adds “Only by demystifying cyber security and making it simpler for businesses to understand their current level of exposure and how to improve it will this issue be solved.”
If you’d like to discuss how you can improve your cyber resilience and improve your organisation’s confidence in its ability to mitigate cyber risk in 2022, get in touch here.