igor - Fotolia
Businesses cannot afford to be complacent about cyber security, experts warn after research by Lloyds of London shows most European businesses have been breached in the past five years.
Despite this fact, only 54% of CEOs in European companies take responsibility for cyber security and only 42% of firms are concerned about a further attack, according to Lloyds’ Facing the Cyber Risk Challenge survey of nearly 350 senior business decision makers from across Europe, including 100 from UK businesses.
The survey found that many businesses still underestimate the potential impact of a cyber event, with only 13% of European companies believing that they will lose trade in the event of a cyber attack.
The survey findings should serve as a warning that firms may still be too complacent about how prepared they are for a cyber attack and the implications that could have on their business, according to Lloyd’s chief executive Inga Beale.
“It is reassuring that responsibility for cyber risk is sitting at the most senior level of businesses, but it is clear that too many firms do not believe that the dangers of a breach will severely affect them,” said Beale.
“We no longer live in a world where you can prevent breaches taking place. Instead it is about how you manage them and what measures you have in place to protect your business and, importantly, your customers,” she said.
John Grimm, senior director at Thales e-Security, argues that more needs to be done to ensure businesses’ most sensitive data is protected from those with malicious intent.
“With 97% of UK businesses admitting they have experienced a data breach in the past five years [compared with 92% across all respondents], it’s critical for advanced cyber security access control techniques, such as robust encryption with strong key management, to be in place.
“With cyber attacks set to cost businesses globally as much as $2.1tn by 2019, there has never been a more important time for businesses to assess their data defenses and ensure that sensitive and business-critical information is properly secured from attackers,” he said.
Grimm said it starts with knowing what data is sensitive and worth protecting, where that sensitive data is and all the places it goes.
“Mobile devices and the cloud have made the last part of that more complicated. Unfortunately in today’s threat landscape, it’s not a case of ‘if’ you will be hacked but ‘when’. Therefore, data security and a strong encryption strategy has become a necessity,” he said.
Cyber insurance and the GDPR
Beale said, as recent events have shown, hard-earned reputations can be lost in a flash if businesses do not have the correct plans in place.
However, she added that insurance can play a critical role in helping businesses to cover financial losses, meet regulatory obligations and deal with potential operational and reputational fall-outs.
The survey showed that 55% of British businesses are unaware that there are cyber insurance products providing cover and services to companies that suffer a data breach.
“New Europe-wide regulations will mean that businesses have to be more responsive to any cyber incident than may have been the case in the past,” added Beale.
The European Union (EU) General Data Protection Regulation (GDPR) that comes into force on 25 May 2018 requires organisations handling EU citizens’ data to report breaches within 72 hours and provides for fines of up to €20m for failing to secure data.
Despite the implications of the GDPR, the survey found that 57% of business leaders admit not fully understanding the potential implications of the GDPR on their company, with less than two years to go before the rules come into force.
Read more about cyber security
- Cyber security must be top of the agenda for business, policy and research, according to a report by The Royal Society.
- Government announces a £250,000 programme to increase the rate of cyber security startup development in the UK.
- The UK’s National Cyber Security Centre (NCSC) is to be the UK’s one-stop authority on infosec, based in London and led by GCHQ’s Ciaran Martin
- An essential part of information security is identifying and managing the risks, experts tell the European Information Security Summit 2016.
Although 97% of respondents had heard of the GDPR, only 7% report knowing “a great deal” about it, while 64% are aware that the GDPR could result in an investigation of their business, and 58% are aware of the financial penalties included in the GDPR.
Keith Stern, regional manager of the UK and Ireland at Lloyds, said most British business leaders who are now driving decisions on cyber protection have a limited knowledge of cyber insurance.
“This is worrying, but understandable, when elements of cyber coverage can be included in many different forms of policy – property, casualty, as well as standalone cyber ones,” he said.
“The threat landscape is evolving at a rapid rate – and as technologies advance, policies advance. As a result, too many businesses are not clear what cover they have, leaving them potentially exposed to far more risk than they realise.
“Having incomplete coverage can have a huge impact on a company’s bottom line – and most businesses don’t realise until it’s too late,” he said.
Businesses have ‘too much confidence’ in reactive security systems
Ross Brewer, vice-president and managing director of international markets at LogRhythm, said the survey shows just how badly some organisations are failing when it comes to cyber defences.
“Today’s hackers are so advanced that they will eventually get into their target networks – which probably explains the high number of breached organisations,” he said.
“Focus must now shift to what they are doing while on those networks and putting measures in place to stop them as soon as possible, as this is where the damage can be greatly limited.
“The fact that so few businesses are concerned about a secondary breach could worryingly suggest that they are placing too much confidence in the reactive security systems that they deployed after the first,” he said.
In the light of the GDPR, Brewer said there is no room for complacency. “A big problem today is that businesses are taking too long to identify that they have been breached, which means hackers have time to roam the network and take what they want undetected,” he said.
“Indeed, there will be a large number of organisations unaware that they have been, or are being, attacked at any given time.
“The GDPR, however, will force organisations to comply with a mandatory breach notification window, which places additional pressure on businesses to spot and disclose a breach within 72 hours. This necessitates a deep understanding of all activity happening across their entire network, at all times,” he added.
According to Stephen Love, European security practice lead at IT services firm Insight, preparation for the GDPR is something UK firms need to address urgently.
“Despite the results of June’s referendum, from May 2018, any organisation found to be in breach of the EU GDPR will be subject to considerable fines that could damage the financial stability of the company and, coupled with the reputational fallout, could see the business facing bankruptcy,” he said.
Love said planning ahead is the best course of action for any business. “Addressing the EU GDPR now will allow businesses to budget and prepare, taking manageable steps to ensure a compliant business environment that will help protect the company from the potential fallout of non-compliancy,” he said.