The global information security and risk management company found this to be the highest figure for all the countries included in the report, which surveyed business decision makers in the US, Germany, France, Sweden, Norway and Switzerland. Respondents estimate that a breach would cost them £1.2m, even before ‘hidden costs’ like reputational damage and brand erosion are taken into consideration. They also anticipate that on average revenue would drop by 13 per cent following a breach.
Nearly half (48 per cent) of UK business decision makers say information security is ‘vital’ to their organisation and just half agree it is ‘good practice’. A fifth admit that poor information security is the ‘single greatest risk’ to the business, ahead of ‘decreasing profits’ (12 per cent), ‘competitors taking market share’ (11 per cent) and on a par with ‘lack of employee skills’ (21 per cent). More than half (57 per cent) agree that their organisation will suffer a data breach at some point, while a third disagree and one in ten say they do not know.
The survey shows that recent high profile data breaches are starting to happen after another report published by NTT Com Security in 2014 revealed that 10 per cent of an organisation’s IT budget was spent on information security, compared to 11 per cent this year. However, in the latest report around a quarter (23 per cent) of UK businesses reveal more is spent on human resources (HR) than on information security.
“Attitudes to the real impact of security breaches have really started to shift, and this is no surprise given the year we have just had,” said Stuart Reed, senior director, Global Product Marketing, NTT Com Security. “We’ve seen several major brands reeling from the effects of serious data breaches, and struggling to manage the potential damage, not only to their customers’ data, but also to their reputation. While the majority of people we spoke to expect to suffer a cyber security breach at some point, most fully expect to pay for it as well – whether that’s in terms of third party and other remediation costs, customer confidence, lost business or even possibly their jobs.”
Further findings from NTT Com Security
41 per cent of UK organisations have a disaster recovery plan in place, and 40 per cent have a formal security policy in place. In both cases, almost half are in the process of implementing or designing one.
When it comes to responsibility for managing the company’s recovery plan, 15 per cent say the CEO now has responsibility, although it still largely falls to the Chief Risk Officer (CRO), Chief Information Office (CIO) or Chief Security Officer (CSO).
While 77 per cent agree it is ‘vital’ their business is insured for security breaches, only 26 per cent have dedicated cyber security insurance. However, 38 per cent are in the process of getting a policy.
One in five respondents in the UK say they do not know if their organisation has any type of insurance to cover for the financial impact of data loss or an information security breach.
“It’s encouraging to see that almost all UK businesses now have a disaster recovery and formal information security policy in place, or are planning to implement one soon,” adds Reed. “Clear, concise internal processes and policies for employees and contractors have so often been overlooked and this is what can lead to complacency and poor security hygiene. When we talk to clients, we make it clear that educating staff about security should be a top priority, supported by clear, simple procedures and backed up by a solid incident response plan.”
Research demographics
Commissioned by NTT Com Security, the research was conducted by Vanson Bourne during October and November 2015. 1,000 business decisions makers (not in IT) were surveyed in the US, UK and Germany (200 in each), and France, Sweden, Norway and Switzerland (100 in each). Organisations had more than 500 employees, but those in Norway, Sweden and Switzerland could come from organisations with at least 250 employees. There were a minimum number of responses from the financial services sector (at least 50 in UK, US, France & Germany and minimum of 30 in the other countries).
Download the Risk:Value Executive Summary report.
Image: iStock