Large General Data Protection Regulation (GDPR) fines against British Airways and Marriott have had a ripple effect on board level involvement and spending plans in relation to cyber security within UK financial firms.

Data security firm Clearswift surveyed 100 senior business decision-makers within enterprise financial organisations in the UK, finding that the Information Commissioner's Office (ICO) recent judgements - a £183 million proposed fine for BA and £99 million proposed fine for Marriott - were key turning points in addressing their own cyber security.

Almost one third of companies (32 per cent) referenced these GDPR fines as being the primary reason for an increase in board level involvement and provision for IT security spending.

“It has been over a year since GDPR has been enforced and organisations were wondering if there were any teeth behind the regulations,” said Guy Bunker, chief technology officer at Clearswift. “These fines have clearly sent shockwaves into the industry and are now serving as a blueprint for how the ICO will handle cases of this nature – by giving out such large ‘intentions to fine’ notices, the ICO has delivered a message that it is not afraid to reprimand household names.”

Other key threats identified by respondents included supply chain threats (25 per cent), where attackers seek to damage an organisation by targeting less-secure elements in the supply network, like the high-profile Not Petya attack last year.

Ransomware attacks (24 per cent), such as the infamous WannaCry attack in 2017, where malicious software denies access to a computer system or critical data until a ransom is paid, were also high up the list. When looking solely at companies with over 5,000 employees, fear of Ransomware was perceived to be the key reason why firms are bolstering their spending, according to the survey.

When asked about spending levels, the majority of financial businesses would like to see an increase in cyber security investment (73 per cent) with 17 per cent of UK firms surveyed reporting that their budgets currently stood ‘well below the adequate level’. This figure did drop dramatically (to five per cent) when looking at firms with over 5,000 employees – a possible sign that larger firms have already made additional investment to deal with the ever-changing cyber threat landscape.

When asked where their organisation currently focuses its cyber security investment, data loss prevention technology was a primary area for over half (53 per cent), followed by database security (42 per cent), regulatory compliance (40 per cent) and advanced threat protection (40 per cent).

Share Story: