A worrying number of UK businesses have no formal plan to protect their business from a cyber-attack and the number of SMEs preparing themselves has not improved from a year ago.

This is according to a new report from the Institute of Directors and Barclays.

Although almost all companies (94 per cent) think security of their IT systems is important, 56 per cent have a formal strategy in place to protect their devices and data, unchanged in the last year (57 per cent).

The report, Cyber security: Ensuring business is ready for the 21st century supported by Barclays, shows that despite a number of high-profile cyber-attacks over the last year, 37 per cent of IoD members lead or work in organisations without a formal cyber security strategy, and worse still, in the event cybercrime was to hit their business, 40 per cent would not know who to report it to.

With the new General Data Protection Regulation, which comes into effect in next May, companies will be made much more accountable for their customers’ data, and the IoD and Barclays are urging business leaders to step up their preparations now.

The government has made positive steps in the last year to protect business and consumers, particularly by founding the National Cyber Security Centre, the report said.

By bringing together several different agencies, and placing the centre within GCHQ, the UK authorities are well-placed to detect and understand cyber threats.

For businesses, however, ultimate responsibility will always lie in the boardroom.

The report reveals almost half of UK firms (44 per cent) don’t have any cyber awareness training for their employees.

The IoD is calling on companies to increase cyber training for directors and employees, and run attack simulations, to make sure security systems are robust.

Stephen Martin, director general of the Institute of Directors, said: “The UK is a leader in the digital economy, but if we are to build on our existing strengths and capitalise on new technologies, we have to go into the future with our eyes open to the risks. This report has revealed that business leaders are still putting cyber security on the back burner. The results, even for small and medium-sized businesses, could be catastrophic.

“With threats evolving all the time, and demanding new regulations just around the corner, we cannot afford another year of complacency from business. Now is the time for firms to test their defences and make sure all of their employees, including management, have the right skills and knowledge on cyber security. This isn’t just an IT issue, it’s a business survival issue.”

Mike Hayden, head of SME Business for Barclays in South Wales, said: “In this digital age, cyber security should be a priority for every single business. More must be done to help businesses recognise the threat an attack could have not just on their bottom line, but to their reputation or even future existence. Keeping customers’ data safe and secure is a legal responsibility so they need to prepare for the unforeseeable.

“SMEs need a strategy in place to weather cyber-storms- a head in the sand approach won’t do. This could include a resilience plan raising staff awareness of the common types of attack, investing in up to date software protection and knowing who to report the crime to if the unexpected occurs.

“At Barclays we want to help businesses and their employees to fight back against the cyber criminals, so we’ve launched free cyber security training at our Eagle Lab sites across the country, led by Barclays’ Digital Eagles. Knowing how to stay safe and protected online is a major step forward for businesses to operate with digital confidence.”