With the world still reeling from the ransomware cyber attack on Friday 12th May, new research from Lockton, the world’s largest global independent insurance broker, today reveals the stark extent to which UK businesses are failing to keep pace with the rapidly evolving threat of cyber attacks, with just 8% checking for hacking activity daily. Only a third (32%) are doing so at least once a month, with one in four (24%) monitoring just once every two to three months.
The findings of the comprehensive study of 200 senior decision makers responsible for cyber security, prevention and resolution, highlight a staggering perception gap within UK plc with 60% of organisations believing they are industry leading despite infrequent use of hacking detection methods, inadequate engagement from key stakeholders and ineffective training leaving many dangerously exposed.
>See also: ‘One in five’ British firms hit by cyber attack in 2016
Peter Erceg, senior vice president, Global Cyber & Technology said: “UK companies are clearly underestimating their risk by thinking they are well prepared for a cyber security breach. The current crisis reveals the huge vulnerability of businesses to the ever-present threat of cyber attack and their failings in keeping pace with its rapid evolution.”
“Aside from the widespread inconvenience, the cost of a data breach can be profound, running into millions of pounds for larger organisations, with additional hits to reputation, customer base and business opportunities.”
Only 8% of UK organisations check if they are being hacked every day
With government figures estimating that seven in ten large companies experienced a cyber breach or attack in the past 12 months, early detection is crucial to preventing significant loss or damage. The cost of a data breach can run into millions of pounds, with the average cost per lost or stolen record at £1023.
Despite this only 8% of UK organisations check to see if they are being hacked every day. Almost a third (32%) only do so at least once a month while a quarter (24%) only use detection hacking methods every two to three months.
Lack of board engagement drives over-reliance on IT and poor co-ordination of key stakeholders
Many companies are also failing to involve relevant stakeholders in cyber breach scenario planning. Just 50% of organisations say the Board is in any way involved, with other key figures such as the head of PR and communications (26%) and head of HR (7%) also excluded.
>See also: A cyber wake-up call: the global ransomware cyber attack
In contrast, 96% of those surveyed say the head of IT is involved, alongside other key figures including risk management (88%) and operations (78%).
Consequently, just 26% of companies say the board is the most influential figure in terms of decision making for cyber-breach scenario planning, compared to 42% who say it is the head of IT and 28% who cite risk management teams.
Erceg said: “The lack of engagement by key stakeholders is worrying. The board needs to be intimately involved in cyber breach planning to allow them to constructively challenge their head of IT and other key members of staff to demonstrate how prepared their organisation is, and identify when this preparedness is being exaggerated.”
“The outputs of a cyber breach are very much a board-level concern. They must be held accountable to ensure their organisation has an effective cyber risk management strategy in place, including sufficient protection to protect critical corporate assets.”
>See also: How to: the CIO’s guide to fending off anticipated cyber attacks
High risk of human error goes unchecked as staff don’t know how to deal with cyber breaches
UK organisations are also failing to mitigate the high risk of human error causing a cyber breach. More than a quarter (27%) of UK organisations admit not all of their staff are aware of the correct procedure and who to contact in the event of a cyber breach, while a similar proportion (26%) say new staff are not made aware of the cyber security processes and procedures in place within their company. Almost a fifth (18%) do not regularly update staff with the latest news on dealing with potential cyber security breaches.
Given the four most common types of cyber breach – fraudulent emails, viruses, spyware and malware, impersonation and ransomware – are all linked to human factors2, staff awareness and understanding should be treated as a crucial part of cyber breach prevention.
>See also: The talent drought has led to costly cyber attacks on businesses
Concluding, Erceg advises that “you can never completely prevent a cyber breach, but proper training is a critical line of defence. In most cases, cyber attackers gain access through a member of staff, so its vital employees are trained to recognise suspicious or fraudulent activity. With the threat of cyber attacks increasing exponentially there is no excuse for companies not to be investing in the development of a robust mitigation plan, underpinned by a set of employee policies and guidelines.”
The UK’s largest conference for tech leadership, Tech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here