The total cost of cyber security breaches to UK mid-market businesses with a turnover between £15m and £1bn a year reached at least £30bn in the past 12 months, according to assurance, tax and advisory firm Grant Thornton.
More than half (53%) of just over 500 UK mid-market companies interviewed reported losses equivalent to between 3% and 10% of revenue following a cyber breach, with those businesses hit most severely reporting losses as high as 25% of revenue.
Despite this, almost two-thirds (63%) of the companies interviewed had no board member with specific responsibility for cyber security, and the same proportion said the board did not formally review cyber security risks and management, Grant Thornton’s latest Cyber security board report found.
The organisations interviewed were also under-prepared in terms of making their people aware of cyber risks, with only one in three (36%) providing all their employees with cyber security training in the past 12 months.
James Arthur, partner and head of cyber consulting at Grant Thornton, said boards had a key role to play in ensuring they had an effective cyber strategy in place.
“Putting cyber crime onto the board’s agenda is one of the most effective ways to minimise the chances of a successful attack and reduce the financial impact if a breach occurs. With that in mind, it is worrying that almost two-thirds of the businesses we interviewed do not have a board member responsible for cyber security,” he said.
Read more about cyber risk
- In assessing the cyber risks to a business, security professionals should start with the people in an organisation and keep them at the centre in identifying and mitigating risk, says consultant.
- Enterprises lack capability against persistent cyber attacks.
- Every organisation must consider the cyber risks it faces and the impact an attack might have.
- Few organisations are managing cyber risk, survey shows.
While commitment from the top is vital, Arthur said ensuring employees were properly trained was also essential.
“Often, companies make themselves vulnerable to attack simply by failing to get the basics right. Training to raise employee awareness can have a hugely positive impact on cyber security.
“People are often unaware of the important role they play in helping a business to stay protected, so companies of all sizes need to ensure they have regular and ongoing cyber security training in place.”
Although almost 70% of respondents felt confident in their ability to respond consistently at any time to a cyber attack across their entire organisation, the study revealed that over half of the businesses surveyed did not have a cyber incident response plan in place (59%).
James Arthur, Grant Thornton
The importance of having a well-rehearsed plan of action cannot be underestimated, the report said. The research also found that companies with an incident response plan in place experienced lower financial losses from a cyber attack than those without one.
“Cyber crime represents a serious threat to every UK business and, as our research shows, just one successful attack can amount to a huge revenue loss,” said Arthur, noting that mid-market companies were particularly vulnerable because they have a level of resources that make them an attractive target but are less likely to implement best-in-class cyber security compared with larger companies.
“Businesses need to understand where their weak points are in order to counter the threat effectively. Yet our research shows that perceived and actual vulnerability often don’t match up, with many businesses feeling confident in their cyber management capacity but having no meaningful response plans in place. A pre-prepared, effective response plan allows a business to do the right thing as fast as possible, in a situation where every minute counts,” he said.
The study showed that many companies were relying on regular data backups to be able to recover rapidly from cyber incidents. “But with modern ransomware specifically designed to spend up to six months infecting entire networks, including data backups, this cannot be relied upon as a core component of a response plan,” said Arthur.
The report identified six key areas that mid-market boards should be focusing on to ensure they are properly prepared:
- Establishing a cyber incident response plan;
- Regularly rehearsing the response plan using a range of different scenarios;
- Monitoring and managing the risk posed from their supply chain;
- Ensuring they understand the terms of their insurance and what is covered;
- Understanding what “normal” looks like for their business, in terms of application usage, so they can identify any unfamiliar patterns;
- Investing in regular training and raising their people’s awareness of cyber security.
“Effective cyber security does not need to cost the earth and goes beyond simply investing in new technology. There are simple, specific steps companies can take, such as implementing a meaningful cyber response plan and understanding what is normal for their business, to put themselves in a much stronger position.
“Cyber risk management should be fundamental for every business striving to grow in a connected, digital world, and boards need to recognise its importance. No business – whatever its size or sector – is immune,” said Arthur.
Read more about incident response
- Cyber security experts weigh in on lessons learned from cyber attack experiences, underlining that recovery capability is as important as defence.
- Making the most of incident detection and response.
- Ensure incident response in the face of inevitable messaging leaks.
- Crafting a cyber security incident response plan, step by step.