UK businesses are overconfident in their cyber security planning and underestimate the damage of the “seismic aftershock” that occurs after a breach, according to a new report.
According to research by Lockton, half of UK firms expect to be fully operational within 48 hours of a cyber breach and only two per cent believe the effects will last longer than 10 days.
However, the recovery time for companies hit by large-scale cyber attacks can actually be months or years, and the study also exposed holes in organisations’ response planning.
For example, 63 per cent of firms recognise reputational damage as a risk of a data breach, but only 26 per cent include their PR and communications chiefs in their incident response plans.
Meanwhile, while 72 per cent of firms know they can lose revenue and 69 per cent recognise that they can lose data, only 52 per cent of firms consider lost customers as a potential cost of a breach.
Just a third factor in the cost of a forensic investigation, only 36 per cent think about time spent reviewing policies and just 46 per cent consider the regulatory fines they might receive.
“The fact that so few businesses are aware of the aftershocks caused by a cyber attack is concerning,” said Peter Erceg, senior vice president of global cyber and technology at Lockton.
“It can take several months, if not years, to become entirely operational again after a large-scale breach – and for some firms a full recovery may be bridge too far. UK businesses are currently unprepared for the seismic waves that can decimate an organisation caught unaware.”
A lack of senior managerial influence may be holding back the effectiveness of some businesses’ incident responses – just half of businesses involve their boards in cyber security planning.
“Effective cyber breach planning must involve stakeholders from across the business,” Erceg said. “This is no longer the purview of a few IT specialists. The shockwaves of cyber attacks are too damaging and too prevalent for businesses to not make it one of the biggest risks they face.
“Companies need to shift from a reactive to proactive approach to avoid and manage a cyber attack. We should all be considering when, not if, an attack will happen and protect ourselves from the risk.”
Matt Smith | @MattCASmith
Photo © anatskwong / 123RF Stock Photo