Public Services > Central Government

Government survey highlights cyber security threats to UK businesses

Published 22 August 2017

Only 6% of FTSE 350 companies polled said they were fully prepared for GDPR

Since 2013, the Government has undertaken a  cyber-security health check survey of the UK’s top 350 companies to understand how they are managing their cyber risks. The survey is a nontechnical governance questionnaire which assesses the extent to which Boards and audit committees of FTSE 350 companies understand and oversee risk management measures that address cyber security threats to their businesses. 

The results reveal a fragile cyber security environment for UK businesses and a certain degree of lack of preparedness for GDPR reform. While almost three-quarters (71%) of respondents said they were somewhat prepared to meet the new compliance requirements brought about by GDPR; only 6% reported being completely prepared to meet their compliance requirements.

To the question "which GDPR requirements were causing businesses the greatest concern in terms of meeting compliance" 45% of respondents mentioned the individual’s rights to personal data deletion.

The survey shows that the majority of Boards (54%) perceive  Cyber risk as a top, or group-level risk. However, only 13% of respondents viewed cyber risk as a low, or an operational-level risk for their Boards.

Matt Hancock, minister of state for digital said, "The WannaCry and NotPetya attacks, which affected core public services and private companies at home and abroad, and other high-profile cyber incidents reinforce the need for effective cyber security as part of our digital economy. It is crucial businesses get cyber security right, and boards take ownership of cyber security as a part of core business".

Hancock said "An increasing number of organisations who responded to the survey relayed the importance of cyber security in terms of the need to protect their services, reassure the public on the safety of their personal data and measure their organisation’s own exposure to cyber risk. Decisions about cyber are increasingly being taken at the board level, which reflects a significant, positive culture shift amongst FTSE 350s since the launch of the scheme".

"However, cyber maturity among FTSE 350s needs to improve at a faster rate to ensure we can stay ahead of future cyber security challenges. This year’s report shows that a small number of FTSE 350 businesses are continuing to operate without plans in place for managing cyber incidents. This is increasingly irresponsible. Furthermore, as we approach the deadline to introduce new regulation such as the General Data Protection Regulation, businesses should continue to prepare themselves for the responsibilities that come with these new requirements" Hancock added.


We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.