Amid a wave of high-profile cyberattacks this year, technology and SaaS companies have been named among the best in the UK for cyber policies – but the worst for operational resilience, according to new research.
The Cyber Culture Clash study, by compliance training provider skillcast, analysed the gap between written cybersecurity policies and real-world practice in the largest businesses in the UK, across multiple sectors.
The technology sector showed the widest gap of any industry, with just 36% alignment between policy and practice.
Policy performance was strong:
- Technology and SaaS firms had the most references to cybersecurity in annual reports.
- Privacy policies were regularly updated, keeping compliance frameworks current.
- The sector led in ISO 27001 adoption, with nearly all businesses citing the standard online.
- 8% of staff were dedicated cybersecurity professionals, more than double the proportion of any other industry.
However, practice scores lagged:
- 69% of companies reported a cyberattack in the past year – the highest of any sector.
- Phishing clicks rates reached 40% in large enterprises.
- ICO-reported cyber incidents have risen 40% over the past two years.
These gaps are particularly concerning for a sector heavily reliant on digital operations and cyber awareness, where a single breach can have wide-reaching consequences.
Each industry in the study was assessed with two scores out of 260, one for policy and one for practice.
Policy covered essentials such as cybersecurity frameworks, regulatory references, and Cyber Essentials Plus accreditation, while practice assessed operational factors including staff headcount, attack rates, and phishing resilience.
Vivek Dodd, CEO at Skillcast said:
“Implementation is clearly lagging policy in the tech sector. While companies are writing robust cybersecurity frameworks, the findings from our ‘Cyber Culture Clash Report’ reveal many are struggling to translate them into consistent, real-world action.
“This highlights a critical problem: having the right policies on paper isn’t enough. Even highly skilled teams remain vulnerable if those policies aren’t embedded in everyday behaviour.
“Encouragingly, tech firms reference cybersecurity more often in annual reports than any other sector, showing that the issue is firmly on the strategic agenda. The next challenge is ensuring that practice catches up with policy, turning ambition into measurable resilience.”
