WavebreakMediaMicro - Fotolia
UK firms failing to make financial plans for cyber attacks
Most UK firms are failing to plan for the financial impact of cyber attacks, a survey by Lloyds Bank has revealed
Only a third of UK business leaders say they have a financial plan in place to counter the effects of a cyber attack, a survey shows.
This is despite the fact that 80% of 10 UK business leaders are concerned or very concerned about the financial implications of a cyber attack on their business, according to a poll of more than 150 business leaders at Lloyds Bank’s recent Cyber Beyond IT event in London.
The event explored how the growing digitisation of businesses, their supply chains, and the emergence of the internet of things (IoT) is accelerating companies’ risk of disruption from a cyber attack and that the financial implications are often overlooked.
The poll showed that only 32% of respondents have a financial resilience plan in place, 43% do not have a financial cash reserve in place for an attack,
However, more than a third (34%) said their companies would pay a ransom to get their systems and data back in the case of a cyber attack, and more than one in ten said they would pay a ransom of £1m or more.
Giles Taylor, head of data and cyber security, Lloyds Bank Commercial Banking said that the world is moving quickly and the reality today is that the economic impacts of cyber security can no longer be ignored.
“Until recently, cyber has been seen as a problem for the IT department to manage but when the worst happens, the whole business suffers. A startling finding is that over a third of companies would pay a ransom to retrieve their data from an attacker when there is no guarantee that a business will get its data back or that its systems will be safe to use again,” he said.
Read more about cyber risk
- Few organisations are managing cyber risk, survey shows.
- How and why to conduct a cyber threat and risk analysis.
- Business needs to get real about cyber security, warn BT and KPMG.
- Cyber risk management can add business benefit while improving security.
- Many UK firms are failing to adequately assess their customers and trading partners for cyber risk.
The poll also revealed that 65% of companies think it would take them six months or more to recover from a disruptive cyber-attack, while almost a fifth (18%) said it would take one year or more to recover.
At the same time only 53% said their companies regularly discuss cyber risk at their board meetings, and only 24% said their firms have dedicated cyber insurance
“A common problem faced by businesses is failing to understand the full financial impact of a cyber-attack,” said Taylor.
“Businesses recognise there will be disruption, but if recovery is going to take months or years rather than weeks, then without a plan the financial implications can be disastrous. A cyber crisis can quickly turn into a liquidity crisis and the sudden drain on cash reserves could affect a firm’s ability to pay staff or suppliers and stay afloat,” he said.
According to Taylor, the poll findings highlight the fact that organisations are not considering all of the knock-on effects of a cyber-attack and do not always have sufficient financial plans in place. “Strong governance, operational and financial planning should be at the heart of any cyber-response activity so that they are better equipped to minimise any potential harm,” he said.
Prevention rather than recovery
Commenting on the poll findings, David Emm, principal security researcher at Kaspersky Lab, said robust IT security strategies should be implemented in a business from the ground up. “It is about prevention rather than recovery – but having cyber insurance can provide additional peace of mind.
“The growth in the number of organisations purchasing these insurance policies reflects the importance that business owners and decision makers are – and should be – placing on their IT security,” he said.
According to Emm, any company not implementing comprehensive security measures could struggle – or fail – to recover from a breach or attack.
“Even so, cyber insurance should be as prevalent as home and contents insurance are in the domestic sphere, and should be regarded by companies as a vital part of their business that plays a key role in cushioning them from the financial impact that a cyber-attack can cause.”