UK businesses financially unprepared for cyber-attacks

News by Mark Mayne

In spite of the prevalence of cyber-threats facing every business sector, a survey has found that two thirds of businesses do not have a financial plan in place in the event of a cyber attack.

In spite of the prevalence of cyber-threats facing every business sector, a survey has found that two thirds of businesses do not have a financial plan in place in the event of a cyber-attack.   

In spite of this, more than a third (34 percent) would pay a ransom to get their systems and data back in the event of a ransomware attack, with more than one in ten attendees (13 percent) stating that they would pay a ransom of £1 million or more. Perhaps most worryingly, only half (53 percent) of companies discuss the risk of cyber-attacks at board level.

Andrew Lloyd, President at Corero Network Security told SC Media UK: “It is rather worrying that only 50 percent of companies discuss the risk of cyber-attacks at the Board level. Given the (Companies Act) responsibilities that UK Directors have to work within, in 2018 it is highly unlikely that any Director would pass the exercising “reasonable care, skill and diligence” test without asking cyber-assurance questions. Next month will see the start of enforcement of the GDPR and, for operators of essential services, the NIS Regulations.  These new regulations raise the bar to such a level that any plausible deniability excuse that a Board could possibly have had in years past, will be blown away.

“For many companies, cyber-attacks are an everyday occurrence.  Many others may be blissfully unaware of the probing/testing attempts being made on their networks and devices by the cyber-criminals.  Either way, it makes far more sense to have up-to-date cyber-defences than to have to rely on cyber-insurance, or arguably worse, coughing-up the cryptocurrency to settle a ransomware demand.”

Further findings from the audience poll showed that a significant 65 percent of companies thought it would take them six months or more to recover from a disruptive cyber-attack; almost a fifth (18 percent) said one year or more to recover. More than four in ten businesses (43 percent) do not have a financial cash reserve in place for an attack, and only a quarter of firms have dedicated cyber-insurance.

David Emm, Principal Security Researcher at Kaspersky Lab said: “Robust IT security strategies should be implemented in a business from the ground up – it's about prevention, rather than recovery – but having cyber-insurance can provide additional peace of mind. The growth in the number of organisations purchasing these insurance policies reflects the importance that business owners and decision makers are – and should be – placing on their IT security. In today's complex threat landscape, any company not implementing comprehensive security measures could struggle – or fail – to recover from a breach or attack. Even so, cyber-insurance should be as prevalent as home and contents insurance are in the domestic sphere, and should be regarded by companies as a vital part of their business that plays a key role in cushioning them from the financial impact that a cyber-attack can cause.”

Although arriving at a precise value for a cyber attack is tricky due to the range of variables, current estimates range between Lloyd's of London's global cost of more than $120 billion (£92 billion), through to PwC's Global State of Information Security Survey 2018, which found that “the average total financial cost of incidents [was] £857,000”.  

Dr Anton Grashion, Managing Director, Security Practice at Cylance told SC Media UK that prevention is indeed the best cure: “This is a recurring theme in surveys of businesses. Cyber-security insurance is just one of the measures organisations can deploy to deal with risk and is often associated with the irreducible amount of risk that is resistant to the other strategies of mitigation, sharing, and avoidance. Because a disproportionate share of the cost of a breach is concentrated in the business implications rather than in all the technical/OPEX heavy responses to a breach is seems to make perfect sense that a great deal of effort should be concentrated on a prevention strategy first and foremost. While this has proved problematical in the past utilising legacy security tools, new AI and ML technologies can be deployed to stop the first domino from falling and thus proving the adage that an ounce of prevention is worth a pound of cure.”

The survey was conducted at a Lloyds Bank cyber-event, canvassing the views of over 150 executives (from small and medium sized businesses up to larger global corporates).

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews