Most business decision makers in the UK admit that their organisation will suffer from a cyber security breach at some point. They also anticipate that to recover from a breach would cost upwards of £1.2 million on average for their organisation, the highest figure globally.
This is according to a new Risk:Value 2016 report from global information security and risk management company NTT Com Security, which surveyed business decision makers in the UK, as well as the US, Germany, France, Sweden, Norway and Switzerland.
While nearly half (48%) of UK business decision makers say information security is vital to their organisation and just half agree it is good practice, a fifth admit that poor information security is the single greatest risk to the business, ahead of decreasing profits, (12%) competitors taking market share (11%) and on a par with lack of employee skills (21%).
Well over half (57%) agree that their organisation will suffer a data breach at some point, while a third disagree and one in 10 say they do not know.
Respondents estimate that a breach would cost them £1.2m, even before hidden costs such as reputational damage and brand erosion are taken into consideration, and take on average two months to recover from. They also anticipate a 13% drop in revenue, on average, following a breach.
The survey shows that recent high-profile data breaches are starting to hit home. A similar report published by NTT Com Security in 2014 revealed that 10% of an organisation’s IT budget was spent on security, compared to 11% this year. However, in the latest report around a quarter (23%) of UK businesses reveal more is spent on human resources (HR) than on information security.
In terms of remediation costs following a security breach, nearly a fifth (18%) of a company’s costs would be spent on legal fees, 18% on fines or compliance costs, 17% on compensation to customers and 11% for third-party remediation resources. Other anticipated costs include PR and communications (14%) and compensation paid to suppliers (12%) and to employees (11%).
According to the report, the vast majority of respondents in the UK admit they would suffer both externally and internally if data was stolen, including loss of customer confidence (66%) and damage to reputation (57%), as well as direct financial loss (41%). Over a third of decision makers (34%) expects to resign or expects another senior colleague to resign as a result of a breach.
Who’s responsibility is it anyway?
- 41% of UK organisations have a disaster recovery plan in place and 40% have a formal security policy. In both cases, almost half are in the process of implementing or designing one.
- When it comes to responsibility for managing the company’s recovery plan, 15% say the CEO now has responsibility, although it still largely falls to the chief risk officer, (CRO) chief information officer, (CIO) or chief security officer (CSO).
- While 77% agree it is ‘vital’ their business is insured for security breaches, only 26% have dedicated cyber security insurance. However, 38% are in the process of getting a policy.
- One in five respondents in the UK say they do not know if their organisation has any type of insurance to cover for the financial impact of data loss or an information security breach.