A new report from insurance broker Lockton, claims that UK businesses are unprepared for the potential length and severity of a cyber security breach. In ‘Cyber Aftershock: How UK companies underestimate the seismic waves produced by a data breach’, the firm claims that fully half of UK companies (50 percent) expect to be entirely operational 48 hours after a large-scale cyber security breach. The survey of senior decision-makers shows that only 2 percent of UK businesses think a breach will affect them for more than 10 days. The report challenges these ways of thinking and sets out the key steps organisations should now be taking.
Peter Erceg, SVP of Global Cyber & Technology at Lockton said: “The fact that so few businesses are aware of the aftershocks caused by a cyber attack is concerning. It can take several months, if not years, to become entirely operational again after a large-scale breach – and for some firms a full recovery may be bridge too far. UK businesses are currently unprepared for the seismic waves that can decimate an organisation caught unaware.”
Failure to involve PR in breach planning puts reputations on the line
Reputational damage is one of the most recognised impacts on a business following a loss of third party data, identified by 63 percent of businesses in Lockton’s report. Yet only a quarter (26 percent) of UK companies say the Head of PR and Communications is involved in cyber breach scenario planning at all. Also, just 42 percent of businesses include managing public relations in their current response protocol for a loss of third party data, making this the action least likely to be undertaken following an attack. Erceg notes that a large-scale leak is impossible to hide, so communicating this proactively and properly to stakeholders – both internal and external – is vital. He said: “In recent times a number of big brands have become synonymous with the large, well-publicised attacks that have befallen them, in part because they didn’t take communication seriously enough. It could take years for them to shed that stigma.”
‘Invisible costs’ forgotten when calculating the business impact of a cyber breach
The report also claims that only half of UK businesses (52 percent) take into account loss of customers as a potential cost when calculating the possible business impact of a cyber breach. They are most likely to consider lost revenue (72 percent) and the cost of data loss (69 percent). Other costs – such as a forensic investigation (33 percent) or reviewing policies (36 percent) or regulatory fines (46 percent) are being forgotten. Erceg noted that these ‘invisible’ costs of a cyber attack are often the most costly and damaging: “The less quantifiable costs of a cyber attack take the longest for a business to recover from,” he said.
Staff need to be the front line of defence
Erceg notes that fine-tuning internal processes is vital to prevent a cyber attack, but the report found that 26 percent of businesses do not always make new staff ware of cyber security policies, and a similar proportion of staff are unaware of who to contact if they spot or experience an attempted breach – in fact, over half (58 percent) say only key staff who work directly with internal IT systems know the correct protocol for reporting or handling a breach. This problem may be compounded by the fact that only 7 percent of HR heads are involved in cyber attack planning. “95 percent of cyber security incidents are a result of human error,” said Erceg. “Training and internal policy must be the first line of defence to avoid a large-scale attack. Modern hackers prey on unsuspecting or inattentive staff to gain access to businesses.”
Lack of engagement jeopardises cyber breach planning
Board engagement is also low, with just 50 percent of businesses involving their boards at all in cyber security planning, compared to 96 percent who involve the head of IT. Just over a quarter (26 percent) deem the board to be the most influential in tackling cyber crime. Erceg claims: “Effective cyber breach planning must involve stakeholders from across the business. This is no longer the purview of a few IT specialists. The shock waves of a cyber attacks are too damaging and too prevalent for businesses to not make it one of the biggest risks they face. Companies need to shift from a reactive to proactive approach to avoid and manage a cyber attack. Today, we should all be considering when, not if an attack will happen and protect ourselves from the risk.”