Business leaders across the UK are, by and large, failing to account for cyber security risk, and only seem to appreciate the need to have appropriate protections in place in the wake of a major incident, according to a whitepaper produced by the Department for Digital, Culture, Media and Sport (DCMS).

The DCMS interviewed IT leaders, including CISOs, at multiple anonymous organisations that had experienced a cyber attack or data breach, and found that while most of them agreed there was a need for increased investment in security, and most considered themselves better prepared than everyone else, they also said there were varying levels of support for, and interest in, security from other leadership teams.

While most said business leadership did grasp the importance of security and were supportive of it, they also expressed doubt that boards understood the scale of the threat, or the cultural transition needed to meet it.

Therefore, the paper said, for many IT leaders, cyber incidents actually had a somewhat positive outcome in that they demonstrated that the threats are real, underscored the importance of security, and made it easier for them to make the case for investment with an engaged, albeit somewhat frightened, board.

One respondent, the CSO of a logistics, manufacturing and e-commerce platform provider, experienced a major distributed denial-of-service (DDoS) attack via the firm’s third-party hosting services provider on the evening of 3 July 2021, minutes after kick-off in England’s European Championships quarter-final match against Ukraine.

Despite a stressful couple of hours for the firm’s IT teams, the attack was contained, and services were back up and running in relatively short order, although the business took a £500,000 hit in lost sales.

Post-breach, the CSO said the business has embarked on a bigger process of transformation and has implemented threat tracking and security testing, designed to mitigate eight identified cyber risks to the business.

The CSO said: “I would say before the breach I had 100% support of the board and then post-breach it was 110% support. I would say this one helped accelerate the delivery of a lot of elements of my programme.”

Another respondent, an IT manager at a wholesale and retail business, experienced a cyber attack in November 2021 which saw the organisation’s Microsoft Exchange server compromised and hijacked to send out spear-phishing emails to the company’s contacts.

The firm only became aware of the incident when people started to contact it in response to these emails, and the IT manager described a period of ensuing “well-hidden panic” because an external IT consultant the company had previously used was unavailable, meaning the firm had to deal with it itself.

The attackers were subsequently able to return and repeat the attack, culminating in the discovery that the firm had been breached months before via a compromised patch.

Ultimately, the company was forced to rebuild much of its IT infrastructure from the ground up, with significant downtime and business impact as a result, including lost customers, lost revenues, and substantial reputational damage.

However, the IT manager said there had also been positives, notably a change in culture: “Before, I was the man who made it difficult to do things, which I think is standard, but now people understand what they are paying for.”

A third respondent, a security operations centre head (HSOC) at a large private sector organisation with over 150,000 employees in the UK was hit by a similar attack in early 2021, when its brand was hijacked in a smishing campaign that redirected its customers to compromised websites.

Prior to the incident, the HSOC said the organisation had viewed cyber security as a board-level business problem because it involved financial, operational, strategic and customer risk – also, this organisation operates in a highly regulated sector, so its compliance regime is generally good.

The HSOC told the DCMS interviewer that the incident had ultimately proved beneficial because despite the board’s rigorous approach to cyber, it really highlighted the importance of security to leadership.

“In the past, the challenge for us is that we were partly a victim of our own success as we were so good at protection, we never had a major incident, so we never had evidence of the importance of cyber security,” the HSOC said.

Tessian CEO Tim Sadler said although it was positive that businesses were taking steps to strengthen their defences after attacks occurred, this was too often too little, too late.

“Business leaders need to listen to their security teams to understand the ways they can proactively protect their organisation before a costly breach occurs,” he said. “A recent Tessian report revealed that 58% of employees think senior execs at their company value cyber security – a statistic that needs to be dramatically reduced.

“A top-down and collaborative approach to strengthening defences and building robust security cultures is so important to ensure everyone understands the role they play in protecting the organisation from cyber attacks.”

Sadler added: “A ‘what’s the worst that could happen?’ mentality is risky when it comes to cyber security, especially when you consider that three in four businesses have experienced a security incident in the last 12 months.”