The UK Government has released its 2019 ‘Cyber Governance Health Check’ which claims only 16% of executives have an understanding of cyber-security threats.

It might sound like the beat of an old drum, but eventually management teams will get the idea. Each week new reports emerge suggesting security is an under-appreciated and under-funded aspect of the digital economy, and this week the Government is throwing its own arguments forward. This report measured the attitudes of the FTSE-350 companies across the UK.

“The UK is home to world leading businesses, but the threat of cyber-attacks is never far away,” said UK Digital Minister Margot James. “We know that companies are well aware of the risks, but more needs to be done by boards to make sure that they don’t fall victim to a cyber-attack.”

While the report suggests 96% of businesses have a cyber-security strategy in place, this might prove to be somewhat of a misleading statistic, offering misplaced comfort. The presence of a strategy is irrelevant when the funds are not being appropriately allocated to put the plan into action. If only 16% of the purse-string holders understand the threat, appropriate investments are not going to be made, therefore the problem will persist.

“This report shows that we still have a long way to go but I am also encouraged to see that some improvements are being made,” said James. “Cyber-security should never be an add-on for businesses and I would urge all executives to work with the National Cyber Security Centre and take up the government’s advice and training that’s available.”

Awareness of cyber-security threats are increasing, 72% of respondents to the survey acknowledge the risk of cyber threats is high, and while this is an improvement on the 52% in the 2018 report, this number is still too low.

This is the position many businesses are in. Security is a recognised threat, but with many board members under pressure to produce profitability, funds are being directed to areas which will add to the bottom line. Security is not one of these areas, though the emergence of GDPR and changing consumer attitudes should help this.

Firstly, GDPR was introduced last year, though the first punishments are beginning to be handed out. As soon as board members start to see the hefty GDPR stick swinging, punishing those who are not deemed sufficiently prepared for a cyber-security breach, attitudes will change. The fines can be eye-wateringly high, and if you want to make an executive listen to you, hit them in the wallet.

Secondly, consumers are becoming more security-conscious. With breaches becoming more widely reported in the press and scandals drawing attention to data privacy demands, consumers (and enterprise customers for that matter) are becoming more aware of what should be considered adequate. Security will soon become a factor in the purchasing decision-making process, and companies will have to prove their credentials.

The tides are slowly turning, and soon enough the digital economy might be equipped to deal with the threat of the dark web. That said, with the astronomical pace of progress, you have to wonder whether the challenge is starting to become too big for the chasing peloton.

“Cyber-security is a mainstream business risk, and board members need to understand it in the same way they understand financial or health and safety risks,” said Ciaran Martin, CEO of the National Cyber Security Centre.