UK and US businesses overconfident in preparedness of data breaches

News by Danielle Correa

Despite most UK and US businesses reporting cyber-security breaches in the last year, large numbers of them overestimate their readiness to fight breaches.

A new report from SolarWinds MSP reveals that businesses are gravely optimistic about their ability to deter and cope with malicious attacks, with 87 percent of IT executives considering their cyber-security readiness as robust. Four hundred SMBs and enterprises, split evenly from the UK and US, contributed responses to the survey.

Fifty-nine percent of IT executives believe they are less vulnerable than they were 12 months ago. Given another 61 percent of businesses are anticipating a significant boost to their cyber-security budgets, they are confident this will improve. However, 71 percent of the same respondents reported they have experienced a breach in the last 12 months. In the UK, this figure dropped slightly to 69 percent.

Of the UK businesses that were breached, 77 percent have identified that they suffered a tangible loss. The figure climbs to 85 percent in the US.

Less than 50 percent of businesses implemented new security technologies after a data breach, while 14 percent did nothing at all. In the UK, only 43 percent of businesses implemented new security technology after a breach.

In the UK, 54 percent have high confidence in the protective measures in place to protect against data breaches.

DDoS attacks, fraud, ransomware and malicious insider acts account more than a quarter (27 percent) of breaches in the UK.

Overall, insider acts were reported as a major cause of data breaches by 32 percent of surveyed businesses.

The typical cost of a single data breach to SMBs and enterprises in the UK are £59,000 and £724,000, respectively.

The report says this overconfidence may be occurring due to basic security principles such as inconsistency in enforcing security policies; negligence in the approach to user security awareness training; shortsightedness in applying cyber-security technologies; complacency around vulnerability reporting; inflexibility in adapting processes after a breach; stagnation in applying key prevention techniques; and lethargy around detection and response.

The research suggests that companies looking to maintain or improve their security must pay attention to these key principles or their overconfidence can lead to an extinction event for their business.

Seventy-two percent of UK respondents don't reliably apply or audit security policies, while only 13 percent consider user security awareness training a priority. Furthermore, only 25 percent can call their vulnerability reporting “robust”.

Commenting on the report, John Pagliuca, general manager at SolarWinds MSP, said in a statement: “These revelations beg the question, ‘How can IT leaders feel so prepared yet still be exposed?' One of the main reasons is that people are confusing IT security with cyber-security. The former is what companies are talking about when they think about readiness. However, what they often don't realise is that cyber-security protection requires a multi-pronged, layered approach to security that involves prevention, protection, detection, correction, and the ability to restore data and systems quickly and efficiently.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews