UK firms ‘severely unprepared’ for cyber attacks

No comments

Broker study finds misconceptions about length and severity of disruption from cyber attacks

cyber attacks

UK businesses are “severely unprepared” for cyber attacks, a new study by insurance broker Lockton has found.

The study – in which Lockton polled 200 chief financial officers, chief risk officers, chief information officers, risk directors and legal counsel – uncovered misconceptions about the length and severity of disruption from cyber attacks.

Half of the respondents expected to be fully operational 48 hours after a large-scale security breach, and only 2% said that a breach would affect them for more than 10 days.

But Lockton senior vice-president of cyber and technology Peter Erceg said that it can take several months, if not years, to be fully operational after a large-scale breach.

He said: “UK businesses are currently unprepared for the seismic waves that can decimate an organisation caught unaware.”

And while 63% of respondents recognised reputational damage as an impact of a cyber attack, only 26% of respondents said that their head of public relations and communications is involved in cyber breach planning.

And 42% of businesses include public relations in their response protocol for a loss of third-party data.

The report also found that only 52% of businesses take into account loss of customers when calculating the possible impact of a cyber breach.

Companies are also failing to recognise other costs, such as forensic investigation, factored in by only 33% of respondents; reviewing policies, recognised by 36%, and regulatory fines, recognised by 46%.

Erceg said: “The less quantifiable costs of a cyber attack take the longest for a business to recover from,” he said.

On top of this the survey found that only 50% of companies involve their boards in cyber planning.

Erceg said: “Effective cyber breach planning must involve stakeholders from across the business. This is no longer the purview of a few IT specialists. The shock waves of a cyber attacks are too damaging and too prevalent for businesses to not make it one of the biggest risks they face.”

“Companies need to shift from a reactive to proactive approach to avoid and manage a cyber attack. Today, we should all be considering when, not if an attack will happen and protect ourselves from the risk.”