UK firms are still treating cyber security as an IT issue, leaving board oversight, supplier checks and proof of resilience dangerously thin.