UK businesses severely unprepared for the seismic aftershocks of a cyber attack

A new report by Lockton, the world’s largest global independent insurance broker reveals the extent to which UK businesses are unprepared for the potential length and severity of a cyber security breach.

Companies expect ‘business as usual’ within just two days

In ‘Cyber Aftershock: How UK companies underestimate the seismic waves produced by a data breach’, Lockton reveals that half of UK companies expect to be entirely operational 48 hours after a large-scale cyber security breach. The survey of senior decision-makers shows that only 2% of UK businesses think a breach will affect them for more than 10 days.

Peter Erceg, SVP of Global Cyber & Technology at Lockton said: “The fact that so few businesses are aware of the aftershocks caused by a cyber-attack is concerning. It can take several months, if not years, to become entirely operational again after a large-scale breach and for some firms a full recovery may be bridge too far. UK businesses are currently unprepared for the seismic waves that can decimate an organisation caught unaware.”

Failure to involve PR in breach planning puts reputations on the line

Reputational damage is one of the most recognised impacts on a business following a loss of third party data, identified by 63% of businesses in Lockton’s report. Yet only 26% of UK companies say the Head of PR and Communications is involved in cyber breach scenario planning at all. Also, just 42% of businesses include managing public relations in their current response protocol for a loss of third party data, making this the action least likely to be undertaken following an attack.

‘Invisible costs’ forgotten when calculating the business impact of a cyber breach 

The report also found that 52% of UK businesses take into account loss of customers as a potential cost when calculating the possible business impact of a cyber breach. They are most likely to consider lost revenue (72%) and the cost of data loss (69%).

Other costs such as a forensic investigation (33%) or reviewing policies (36%) or regulatory fines (46%) are being forgotten.

Staff need to be the front line of defence

Erceg notes that fine-tuning internal processes is vital to prevent a cyber-attack, but the report found that 26% of businesses do not always make new staff ware of cyber security policies, and a similar proportion of staff are unaware of who to contact if they spot or experience an attempted breach. 58% said only key staff who work directly with internal IT systems know the correct protocol for reporting or handling a breach. This problem may be compounded by the fact that only 7% of HR heads are involved in cyber-attack planning.

Lack of engagement jeopardises cyber breach planning

Board engagement is also low, with just 50% of businesses involving their boards at all in cyber security planning, compared to 96% who involve the head of IT. 26% deem the board to be the most influential in tackling cybercrime.