The latest Lloyds of London report on cyber risk revealed that 97% of UK companies have suffered a breach in the last five years, whilst only 42% were worried about it happening again. With every metric showing an increase in cyber attacks (up 60% in some areas, such as online fraud) it’s surprising that so few companies are concerned about another breach, or taking steps to prevent one.
The survey findings from Lloyds of London are reflected in other recent research on the state of cyber insecurity. The UK Government recently released a Cyber Security Breaches survey, which found that 69% of businesses say cyber security is a high priority but far less seem to have it as an actionable priority. Only 29% have written cyber security policies and a mere 10% have an incident response plan. Policies are important because they are an organisation’s articulation of what they expect from their employees. Having them in place means employees have somewhere to look for guidance on what they should and should not be doing. Not only should written policies be in place, they should also be well-crafted, clearly communicated and easily accessible.
How to Plan for a Cyber Attack
It is surprising that so many organisations have failed to document what they expect from their employees. Even more surprising is the fact that only 10% have a Cyber Incident Response Plan. With huge data breaches hitting the headlines, becoming the victim of a cyber attack is arguably likely to happen sooner or later. Organisations must plan their response to an attack so that if they become the victim, they can respond appropriately and limit damage caused by the breach and any media attention which follows. When 97% of UK companies have experienced a breach, it is staggering that only 10% have acted on the experience and developed an incident response plan.
When it comes to cyber security, leadership is vital. Organisations that lead from the top have a stronger cyber security culture and the need to handle data responsibly is more likely to be embedded at all levels. Cyber security is a boardroom issue, a business risk and, looking to the future, poses an even greater threat to organisations tomorrow than it does today. However, a recent survey from Marsh found that only 30% of UK businesses have boardroom oversight of cyber security. Perhaps this is the crux of the problem. Without leadership from the top, a structured cyber security programme and a holistic appreciation of the risks it faces, UK businesses will continue to have a dichotomous approach to cyber security.
By Dr Jessica Barker, Senior Consultant in Kroll’s Investigations and Disputes practice based in London.