It’s on average a seven-figure cost, for UK organisations to recover from a security breach, it’s been estimated. The 2017 Risk:Value report, by NTT Security, is the cyber security company’s third annual study of business decision makers’ attitudes to risk and the value of information security. It’s found that a UK business would have to spend £1.1m ($1.4m) on average to recover from a breach – more than the global average of £1m ($1.3m), which has gone up from the previous report’s $907,000 estimate.
The study of 1350 non-IT business decision makers across 11 countries, that included 200 from the UK, found that respondents anticipate it would take, on average, almost three months (80 days) to recover from an attack, almost a week longer than the global average of 74 days. UK respondents also predict a significant impact of their organisation’s revenue, suggesting as much as a 9.5pc drop, which fares slightly better than the global average of nearly 10pc.
In the UK, business decision makers expect a data breach to cause short-term financial losses, as well as affect the organisation’s long-term ability to do business. More than two-thirds (64pc) cite loss of customer confidence, damage to reputation (67pc) and financial loss (44pc), while one in 10 anticipate staff losses, and 9pc expect senior executives to resign following a security incident.
A majority, 63pc of respondents in the UK ‘agree’ that a data breach is inevitable at some point, up from the previous report’s UK figure of 57pc. However, less than half (47pc) say that preventing a security attack is a regular board agenda item, suggesting that more still needs to be done for it to be taken seriously at a boardroom level in the UK.
Comment
Linda McCormack, Vice President UK and Ireland at NTT Security, says: “Companies are absolutely right to worry about the financial impact of a data breach – both in terms of short-term financial losses and long-term brand and reputational damage. Although this year’s £1.1m figure is slightly down on last year’s report (£1.2m), no company, regardless of its size, sector or focus, can afford to ignore the consequences of what are increasingly sophisticated and targeted security attacks, like the widespread and damaging ransomware attack we recently witnessed.“
Most, 72pc of UK business decision makers say their organisation has a formal information security policy in place, compared to the global average of over half (56pc) and another 16pc are in the process of implementing one. But while 83pc say it has been communicated internally, less than one third (31pc) say company employees are fully aware of the policy.
The study also raises concerns over the use and sharing of incident response plans for when a breach does happen. Around two-thirds (65pc) of UK respondents say their organisation has an incident response plan, well above the global average of 48pc. However, less than half (44pc) of business decision makers in the UK are fully aware of what the incident response plan includes.
McCormack adds: “Creating security policies seems to be a work in progress for many UK businesses, unfortunately they become redundant if they are not properly communicated and shared throughout the whole organisation, and sadly this report backs that up. We see time and again organisations with good intentions when it comes to security and response planning, but then it falls to the bottom of the priority list due to a lack of resources, budgets and time. The fact that they are struggling to find the right resources and processes to support the fundamentals in information security and risk management planning is a major concern.”
As for budget, according to UK respondents, only an estimated 14.4pc of their organisation’s operations budget is spent on information security, and 13.7pc of their IT budget is estimated to be spent on security. This compares to 15.5pc and 14.6pc respectively across all of the countries surveyed. More than a third in the UK say their organisation is spending less on information/data security than R&D (36pc), HR (36pc) and Marketing (36pc).
You can download the 2017 Risk:Value report at: www.nttsecurity.com/RiskValue2017.
