Most business decision makers in the UK admit that their organisation will suffer from a cyber security breach. They also anticipate that to recover from a data breach would cost upwards of £1.2m on average for their organisation, the highest figure globally. This is according to a new Risk:Value report from the information security and risk management company, NTT Com Security, which surveyed business decision makers in the UK, as well as US, Germany, France, Sweden, Norway and Switzerland.
While nearly half (48 per cent) of UK business decision makers say information security is ‘vital’ to their organisation and just half agree it is ‘good practice’, a fifth admit that poor information security is the ‘single greatest risk’ to the business, ahead of ‘decreasing profits’ (12 per cent), ‘competitors taking market share’ (11 per cent) and on a par with ‘lack of employee skills’ (21 per cent).
Well over half (57 per cent) agree that their organisation will suffer a data breach at some point, while a third disagree and one in ten say they do not know. Respondents estimate that a breach would cost them £1.2m, even before ‘hidden costs’ like reputational damage and brand erosion are taken into consideration, and take on average two months to recover from. They also anticipate a 13 per cent drop in revenue, on average, following a breach.
The survey shows that recent high profile data breaches are starting to hit home. A similar report by NTT Com Security in 2014 revealed that 10 per cent of an organisation’s IT budget was spent on information security, compared to 11 per cent this year. However, in the latest report around a quarter (23 per cent) of UK businesses reveal more is spent on human resources (HR) than on information security.
In terms of remediation costs following a security breach, nearly a fifth (18 per cent) of a company’s costs would be spent on legal fees, 18 per cent on fines or compliance costs, 17 per cent on compensation to customers, and 11 per cent for third party remediation resources. Other anticipated costs include PR and communications (14 per cent) and compensation paid to suppliers (12 per cent) and to employees (11 per cent). According to the report, most respondents in the UK admit they would suffer both externally and internally if data was stolen, including loss of customer confidence (66 per cent) and damage to reputation (57 per cent), as well as direct financial loss (41 per cent). Over a third of decision makers (34 per cent) expects to resign or expects another senior colleague to resign as a result of a breach.
Stuart Reed, Senior Director, Global Product Marketing, NTT Com Security, says: “Attitudes to the real impact of security breaches have really started to shift, and this is no surprise given the year we have just had. We’ve seen several major brands reeling from the effects of serious data breaches, and struggling to manage the potential damage, not only to their customers’ data, but also to their reputation. While the majority of people we spoke to expect to suffer a cyber security breach at some point, most fully expect to pay for it as well – whether that’s in terms of third party and other remediation costs, customer confidence, lost business or even possibly their jobs.”
Who’s responsibility is it?
· 41 per cent of UK organisations have a disaster recovery plan in place, and 40 per cent have a formal security policy in place. In both cases, almost half are in the process of implementing or designing one.
· When it comes to responsibility for managing the company’s recovery plan, 15 per cent say the CEO now has responsibility, although it still largely falls to the Chief Risk Officer (CRO), Chief Information Office (CIO) or Chief Security Officer (CSO).
· While 77 per cent agree it is ‘vital’ their business is insured for security breaches, only 26 per cent have dedicated cyber security insurance. However, 38 per cent are in the process of getting a policy.
· One in five respondents in the UK say they do not know if their organisation has any type of insurance to cover for the financial impact of data loss or an information security breach.
Stuart Reed adds: “It’s encouraging to see that almost all UK businesses now have a disaster recovery and formal information security policy in place, or are planning to implement one soon. Clear, concise internal processes and policies for employees and contractors have so often been overlooked and this is what can lead to complacency and poor security hygiene. When we talk to clients, we make it clear that educating staff about security should be a top priority, supported by clear, simple procedures and backed up by a solid incident response plan.”
