The UK's biggest companies are not considering cyber risks in their decision making, according to a new survey from the Department for Business, Innovation and Skills.
The survey, dubbed the cyber governance health check, was sent by the six largest audit firms to the chairs of the audit committee of the FTSE 350 companies in August 2013.
Further reading Cyber attacks – up close and personal NSA used malware to infiltrate more than 50,000 networks - Snowden Government 'frightened' of warning public about cyber threats CESG and CREST reveal first companies to be certified for Cyber Incident Response schemes
The study found that only 14 per cent of FTSE 350 firms are actively studying cyber threats, with a large proportion of companies not receiving any intelligence about cyber criminals.
Only a quarter of companies considered cyber threats as a "top risk", although 62 per cent of firms thought that their board members were taking the cyber risk very seriously.
Over half (56 per cent) of the respondents said that their strategic risk register includes a cyber-risk category, and 60 per cent understand what their key information and data assets are.
But a quarter of respondents said the main board has a poor understanding of how and where the company's key information or data assets are shared with third parties.
Just 17 per cent have clearly set what they see as an acceptable level of protection against cyber threats, and only 39 per cent had used the government's 10 steps cyber security guidance.
Of the respondents, 75 per cent had not undertaken any cyber risk or information security training in the past 12 months and 80 per cent said none of their board colleagues had undertaken any either.
When asked who owns the cyber risk for their company, a quarter said that it was the head of IT or CIO's role, a fifth said it was the CEO's role and 28 per cent said that it was the CFO's role.
"The cyber crime threat facing UK companies is increasing. Many are already taking this extremely seriously, but more still needs to be done," said science minister David Willetts.
"We are working with businesses to encourage them to make cyber security a board-level responsibility," he added.
The government hopes that its kitemark-style "cyber standard", which launches next year, will help businesses to ensure they are adopting good practice within cyber security.
"The cyber standard will promote excellence in tackling cyber risks, help businesses better understand how to protect themselves, and ultimately increase the nation's collective cyber security," Willetts suggested.
