Amid a wave of high-profile cyberattacks, technology and SaaS companies have been named among the best in the UK for cyber policies – but the worst for operational resilience, according to research.

The Cyber Culture Clash Report, by compliance training provider Skillcast, analysed the gap between written cybersecurity policies and real-world practice in the largest businesses in the UK, across multiple sectors. The technology sector showed the widest gap of any industry, with just 36 per cent alignment between policy and practice.

Policy performance was strong:

• Technology and SaaS firms had the most references to cybersecurity in annual reports.
• Privacy policies were regularly updated, keeping compliance frameworks current.
• The sector led in ISO 27001 adoption, with nearly all businesses citing the standard online.
• 8 per cent of staff were dedicated cybersecurity professionals, more than double the proportion of any other industry.

However, practice scores lagged behind:

• 69 per cent of companies reported a cyberattack in the past year – the highest of any sector.
• Phishing click rates reached 40 per cent in large enterprises.
• ICO-reported cyber incidents have risen 40 per cent over the past two years

These gaps are particularly concerning for a sector heavily reliant on digital operations and cyber awareness, where a single breach can have wide-reaching consequences.

Each industry in the study was assessed with two scores out of 260, one for policy and one for practice.

Policy covered essentials such as cybersecurity frameworks, regulatory references, and Cyber Essentials Plus accreditation, while practice assessed operational factors including staff headcount, attack rates, and phishing resilience.

Vivek Dodd, CEO at Skillcast, commented: “Implementation is clearly lagging behind policy in the tech sector. While companies are writing robust cybersecurity frameworks, the findings from our Cyber Culture Clash Report reveal many are struggling to translate them into consistent, real-world action. This highlights a critical problem: having the right policies on paper isn’t enough. Even highly skilled teams remain vulnerable if those policies aren’t embedded in everyday behaviour. Encouragingly, tech firms reference cybersecurity more often in annual reports than any other sector, showing that the issue is firmly on the strategic agenda. The next challenge is ensuring that practice catches up with policy, turning ambition into measurable resilience.”

Other posts by :

1. Roskosmos: Heads roll, launch project scrapped
2. MDA under pressure over satellite order
3. SES backs C-band action from FCC
4. Congested orbits mean high risks of debris
5. SpaceX bids fairwell to booster 1076
6. Bank: LBG Media results “in line”
7. WBD: Surprise, surprise… not
8. SpaceX to lose Moon Lander contract?
9. Arianespace 64 delayed – again

Categories: Articles, Broadband, Markets, Research

Tags: cyber attack, data, UK