UK firms ‘severely unprepared’ for cyber attacks

UK businesses are “severely unprepared” for cyber attacks, a new study by insurance broker Lockton has found.

The study – in which Lockton polled 200 chief financial officers, chief risk officers, chief information officers, risk directors and legal counsel – uncovered misconceptions about the length and severity of disruption from cyber attacks.

Half of the respondents expected to be fully operational 48 hours after a large-scale security breach, and only 2% said that a breach would affect them for more than 10 days.

But Lockton senior vice-president of cyber and technology Peter Erceg said that it can take several months, if not years, to be fully operational after a large-scale breach.

He said: “UK businesses are currently unprepared for the seismic waves that can decimate an organisation caught unaware.”

 And while 63% of respondents recognised reputational damage as an impact of a cyber attack, only 26% of respondents said that their head of public relations and communications is involved in cyber breach planning.

And 42% of businesses include public relations in their response protocol for a loss of third-party data.

The report also found that only 52% of businesses take into account loss of customers when calculating the possible impact of a cyber breach.

Companies are also failing to recognise other costs, such as forensic investigation, factored in by only 33% of respondents; reviewing policies, recognised by 36%, and regulatory fines, recognised by 46%.

Erceg said: “The less quantifiable costs of a cyber attack take the longest for a business to recover from,” he said.

On top of this the survey found that only 50% of companies involve their boards in cyber planning.

Erceg said: “Effective cyber breach planning must involve stakeholders from across the business. This is no longer the purview of a few IT specialists. The shock waves of a cyber attacks are too damaging and too prevalent for businesses to not make it one of the biggest risks they face.”

“Companies need to shift from a reactive to proactive approach to avoid and manage a cyber attack. Today, we should all be considering when, not if an attack will happen and protect ourselves from the risk.”