Many companies think they excel at cyber security – but our research suggests something very different.
UK companies are greatly underestimating their cyber security risk. Consequently they may be far more exposed than they imagine.
As part of Lockton’s UK Cyber Security Survey 2017, we asked 200 senior decision makers how they think their cyber risk mitigation compares with other companies in their industry.
Interestingly, 60% of companies say they are ‘leading’ or ‘almost leading’ their industry.
Among manufacturers, almost three quarters (72%) think they excel in this area. Even among gaming and entertainment companies, where confidence levels are lowest, almost half (49%) say they are ‘leading’ or ‘almost leading’ their industry.
Similarly, 59% of companies say their industry is ‘extremely’ or ‘very well’ prepared against cyber attacks. Meanwhile, only 36% of companies think that their industry is ‘very’ or ‘extremely’ exposed to cyber attacks.
Fact or fiction?
Companies’ optimism is at odds with the ever-increasing number of publicly documented cyber incidents, never mind the incidents that companies choose to keep quiet about or simply never detect.
Companies' confidence in their cyber mitigation is sometimes incongruent with the steps they actually take to protect themselves.
Nearly half (46%) of British businesses discovered at least one cybersecurity breach or attack in the past year, according to the UK Government. Among medium to large companies, more than two-thirds fell victim to a cyber breach or attack. For larger organisations in particular, the cost of a cyber breach can run into millions of pounds, with additional hits to a company’s reputation and customer base.
Our research found that senior business leaders’ confidence in their companies’ cyber mitigation is also incongruent with the steps they actually take to protect themselves:
• The great majority of companies are not minimising the risk of being hacked. Only 8% of companies take measures to detect whether they’ve been hacked every day – something all companies should do.
• Many companies do not do enough to minimise the risk of human-error related cyber incidents – with only 58% making new staff aware of their cyber security processes and procedures.
• Many companies do not have sufficient Board-level buy-in to implement effective cyber breach scenario planning – with only 50% involving their Boards.
• Many companies are ill-prepared for the communication challenges that would follow a cyber breach – with only 26% involving their Head of PR and Comms when planning for a breach.
• The Head of HR is only involved in planning for a cyber breach in 7% of companies – worrying, considering how a breach could affect employees (for example, through the loss of personal data).
When it comes to their cyber security, are companies being too complacent, or are they simply unaware of the true nature of their cyber risks? It may well be a bit of both.
We also often see a gap between what the Board think their company is doing regarding cyber security and the reality.
Companies often struggle to find good-quality data on other companies’ cyber mitigation, inside or outside their own industry. If you’re in charge of a company’s cyber security, it’s a constant challenge to know how your company’s cyber security compares with others, and to understand what ‘good’ looks like.
We also often see a gap between what the Board think their company is doing regarding cyber security and the reality. This could be the result of Boards not fully understanding their company’s cyber risks, security professionals and others ineffectively communicating these issues to the Board, or both.
The exact reasons for this over-confidence will doubtless differ between companies and industries. It is clear, however, that many UK companies’ cyber risk mitigation is inadequate. Despite the almost daily reportage of cyber incidents, many companies still do not appreciate the severity of cyber risks, or simply lack the resource and expertise to manage them.
Over the next few months, Lockton will be sharing results from our UK Cyber Security Survey 2017. Alongside the results, we will provide advice and analysis on various aspects of cyber security, including:
• Cyber breach scenario planning,
• Hacking detection measures,
• Working with third parties after a breach,
• Managing staff-related cyber risks,
• Cyber risks companies expect to increase most.
UK companies have made great improvements to their cyber security in recent years. It seems, however, that the really hard work is still to come.
For more information, please contact Peter Erceg on:
+44 (0)20 7933 2608