With the world still reeling from the ransomware cyber attack in May, new research from Lockton, one of the world’s largest global independent insurance broker, reveals the stark extent to which UK businesses are failing to keep pace with the rapidly evolving threat of cyber attacks, with just 8% checking for hacking activity daily. Only a third (32%) are doing so at least once a month, with one in four (24%) monitoring just once every two to three months.
The findings of the comprehensive study of 200 senior decision makers responsible for cyber security, prevention and resolution, highlight a staggering perception gap within UK plc with 60% of organisations believing they are industry leading despite infrequent use of hacking detection methods, inadequate engagement from key stakeholders and ineffective training leaving many dangerously exposed.
Peter Erceg, Senior Vice President, Global Cyber & Technology said: “UK companies are clearly underestimating their risk by thinking they are well prepared for a cyber security breach. The current crisis reveals the huge vulnerability of businesses to the ever-present threat of cyberattack and their failings in keeping pace with its rapid evolution.
“Aside from the widespread inconvenience, the cost of a data breach can be profound, running into millions of pounds for larger organisations, with additional hits to reputation, customer base and business opportunities.”
With Government figures estimating that seven in 10 large companies experienced a cyber breach or attack in the past 12 months, early detection is crucial to preventing significant loss or damage2. The cost of a data breach can run into millions of pounds, with the average cost per lost or stolen record at £1023.
Despite this only 8% of UK organisations check to see if they are being hacked every day. Almost a third (32%) only do so at least once a month while a quarter (24%) only use detection hacking methods every two to three months.
Many companies are also failing to involve relevant stakeholders in cyber-breach scenario planning. Just 50% of organisations say the Board is in any way involved, with other key figures such as the head of PR and communications (26%) and head of HR (7%) also excluded. In contrast, 96% of those surveyed say the head of IT is involved, alongside other key figures including risk management (88%) and operations (78%).
Consequently, just 26% of companies say the Board is the most influential figure in terms of decision making for cyber-breach scenario planning, compared to 42% who say it is the head of IT and 28% who cite risk management teams.
Erceg says: “The lack of engagement by key stakeholders is worrying. The Board needs to be intimately involved in cyber breach planning to allow them to constructively challenge their head of IT and other key members of staff to demonstrate how prepared their organisation is, and identify when this preparedness is being exaggerated.
“The outputs of a cyber breach are very much a Board-level concern. They must be held accountable to ensure their organisation has an effective cyber risk management strategy in place, including sufficient protection to protect critical corporate assets.”
UK organisations are also failing to mitigate the high risk of human error causing a cyber breach. More than a quarter (27%) of UK organisations admit not all of their staff are aware of the correct procedure and who to contact in the event of a cyber breach, while a similar proportion (26%) say new staff are not made aware of the cyber security processes and procedures in place within their company. Almost a fifth (18%) do not regularly update staff with the latest news on dealing with potential cyber security breaches.
Given the four most common types of cyber breach – fraudulent emails, viruses, spyware and malware, impersonation and ransomware – are all linked to human factors2, staff awareness and understanding should be treated as a crucial part of cyber breach prevention.
Erceg comments: “You can never completely prevent a cyber breach, but proper training is a critical line of defence. In most cases, cyber attackers gain access through a member of staff, so its vital employees are trained to recognise suspicious or fraudulent activity. With the threat of cyber-attacks increasing exponentially there is no excuse for companies not to be investing in the development of a robust mitigation plan, underpinned by a set of employee policies and guidelines.”