The data indicated relatively large firms perform better on the whole than small ones when it comes to regularly experimenting to see whether attackers could crack through and cause damage.
Overall, only 25 per cent were found to undertake any type of penetration testing – despite the fact that nearly half of all UK businesses are thought to have experienced some form of cyber-attack in the past year.
A telephone survey of 1,523 UK businesses of varying sizes was carried Ipsos MORI in partnership with academics from the University of Portsmouth, who also undertook in-depth follow-up interviews to try and gauge factors like how seriously bosses were taking the issue of cyber threats.
Breaches stemming from human foibles, for example employees opening scam emails, were found to be the most common type – far more so than more sophisticated operations such as Denial of Service incidents aimed at taking down a business’s website.
Mike McGlynn from multinational company World Wide Technology said the “soft underbelly” of UK business had been exposed.
He also predicted that any rush to embrace the Internet of Things (IoT) – whereby increasing numbers of machines and appliances in offices and homes would be connected to the internet – could spell further trouble as it would leave firms and customers vulnerable to attacks by botnets.
“The range of devices being exposed to the internet are usually not known for having mature security software, and are often in a vulnerable state,” McGlynn said. “Even their manufacturers may not be in a position to regularly patch software in order to protect against online threats, let alone the enterprises that adopt these devices.”
Mike Lynch, chief strategy officer at the American company InAuth, which specialises in internet security for financial organisations, told E&T he was personally reluctant to have IoT-type devices in his home.
Speaking before the publication of today’s report, he said: “If you think about the growth of IoT-connected devices, security is not top of mind. Revenue is.”
But he added there was hope pressure from the public would change matters.
“Eventually consumers will demand better security from the manufacturers,” he said, adding: “I don’t see a massive government regulation stepping in here and, at least at this time, knowing what to do.”
The British Chamber of Commerce yesterday called on companies to ramp up their cyber defences.
Professor John Walker, a cyber-security analyst, told E&T: “At the end of the day, no matter what it is, whether it’s an ATM on a network or a smart meter on a network, it’s a network, it’s got vulnerabilities.
“It’s got access control mechanisms going to and from that device. It only takes one flaw to occur and you’ve potentially got real issues.”
Meanwhile, against the background of the freshly-announced UK general election, political parties have been offered assistance by National Cyber Security Centre (NCSC), with the authorities warning that "events in the United States, Germany and elsewhere act as a reminder of the potential for hostile action against the UK political system”.
The NCSC, officially opened earlier this year, forms part of a government plan to make the online sphere more secure for firms and the government in the UK.