Brian Jackson - Fotolia

UK businesses expect cyber attack recovery to cost at least £1.2m

Most UK firms are implementing a cyber security policy and disaster recovery plan as they realise poor information security is the greatest risk to business

More than half of UK businesses expect to be hit by a cyber attack and that recovery costs will be £1.2m or more, a study has revealed.

This is the highest figure globally, according to the Risk:Value 2016 report by information security and risk management company NTT Com Security.

The report is based on a survey of business decision-makers in the UK, the US, Germany, France, Sweden, Norway and Switzerland.

Although about 50% of UK respondents said information security was vital to their organisation and agreed it was good practice, 20% admitted that poor information security was the single greatest risk to the business, ahead of decreasing profits (12%), competitors taking market share (11%) and on a par with lack of employee skills (21%).

Well over half (57%) agreed that their organisation would suffer a data breach at some point, while only one-third disagreed and one in 10 said they did not know.

Respondents estimated that a breach would cost them £1.2m, before “hidden costs” such as reputational damage and brand erosion were taken into consideration.

They expected recovery from a cyber attack to take an average of two months, and they anticipated a 13% drop in revenue, on average, following a breach.

The survey showed that recent high-profile data breaches are starting to hit home, with organisations spending 11% of their IT budgets on information security, up from 10% the previous year.

However, nearly a quarter of the UK businesses surveyed revealed that more is spent on human resources than on information security.

Detailing remediation costs following a security breach, the report said respondents indicated that they expected 18% to be spend on legal fees, 18% on fines or compliance costs, 17% on compensation to customers, and 11% on third-party remediation.

Read more about incident response

Other anticipated costs included PR and communications (14%) and compensation paid to suppliers (12%) and to employees (11%).

According to the report, the vast majority of UK respondents admitted they would suffer both externally and internally if data was stolen, including loss of customer confidence (66%) and damage to reputation (57%), as well as direct financial loss (41%). More than one-third of decision-makers (34%) expected to resign or expected another senior colleague to resign because of a breach.

“Attitudes to the real impact of security breaches have really started to shift, and this is no surprise given the year we have just had,” said Stuart Reed, senior director, global product marketing at NTT Com Security.

Major brands reeling

“We have seen several major brands reeling from the effects of serious data breaches, and struggling to manage the potential damage, not only to their customers’ data, but also to their reputation.

“While the majority of people we spoke to expect to suffer a cyber security breach at some point, most fully expect to pay for it as well – whether in terms of third-party and other remediation costs, customer confidence, lost business or even possibly their jobs.”

The study found that although only 41% of UK organisations have a disaster recovery plan in place and only 40% have a formal security policy, in both cases almost half are in the process of implementing or designing one.

In terms of responsibility for managing a company’s recovery plan, 15% of respondents said the CEO now has responsibility, although it still largely falls to the chief risk officer, chief information officer or chief security officer.

Cyber security insurance

While 77% agreed it is vital that their business is insured for security breaches, only 26% have dedicated cyber security insurance – but 38% are in the process of getting a policy.

One in five UK respondents said they did not know if their organisation had any type of insurance to cover for the financial impact of data loss or an information security breach.

“It is encouraging to see that almost all UK businesses either have a disaster recovery and formal information security policy in place, or are planning to implement one soon,” said Reed.

“Clear, concise internal processes and policies for employees and contractors have so often been overlooked, and this is what can lead to complacency and poor security hygiene.

“When we talk to clients, we make it clear that educating staff about security should be a top priority, supported by clear, simple procedures and backed up by a solid incident response plan.”

Read more on Hackers and cybercrime prevention