Most UK companies don't really understand cyber-risks

A new report from insurance broker Marsh reveals that only 18 percent of UK firms admit to having a “complete understanding” of cyber-related threats, a significant fall from 34 percent one year ago. The study also has some concerning figures on board engagement, security monitoring and cyber-insurance.

The most startling figures in the ‘UK 2015 Cyber Risk Survey Report' concern cyber-security and to what extent businesses see this as a risk which can impact their business.

In the study, 26.6 percent of UK respondents admitted that they did not consider cyber important enough to get on the risk register, while only 16.6 percent placed cyber as a top five risk priority. The rest of the organisations put it outside the top 10, a staggering finding considering the UK government ranks cyber-security as a tier one threat under the UK national Security Strategy.

The research further indicates that the same companies are getting hacked, although how much they know about it is another matter; less than a third (31.9 percent) identified one or more cyber-scenarios that would affect their organisation, while 40.3 percent admitted their companies had been hit by a cyber-attack in the past 12 months.

On this last figure, Marsh pointed to the recently published government-commissioned PwC report, which put the percentage at 90 percent,  and said that these companies were either very lucky or – more likely – just unaware that they had been breached.

In the event of a breach, over half (61 percent) made no attempts to estimate financial loss, with 15.3 and 13.9 percent saying over £1 million and £5 million respectively. Only 11.3 percent of firms professed to have cyber-insurance.

Board-level ownership of such risks was at 19.4 percent of organisations, compared to 20 percent last year, while Marsh noted that IT is primarily responsible for cyber-risk in 55.5 percent of organisations.

“Cyber-risk is increasingly recognised as a business risk rather than simply a technical control, and, within this context, it is disappointing to note that there is no material upwards movement in risk management and board functions seizing responsibility from IT,” reads the report.

“IT departments might know how to implement cyber-security; however, the inability of IT to drive value for the organisation or the potential for significant damage to be caused as a result of a security breach, most certainly is a business risk — the consequences of which will be felt at the highest levels of the organisation should it occur. Boards therefore need to take ownership of cyber-risk before a cyber-event forces it on to the board agenda, and communicate the identified security priorities to IT departments so that they can align their activity and resources against the business's risk management agenda.”