According to insurance broker Lockton - which polled 200 chief financial officers, chief risk officers and chief information officers as well as directors of risk and general legal counsel – only 2% of UK businesses think a breach will affect them for more than 10 days.
Peter Erceg, senior vice president of global cyber and technology at Lockton, said: “The fact that so few businesses are aware of the aftershocks caused by a cyber attack is concerning.
“It can take several months, if not years, to become entirely operational again after a large-scale breach – and for some firms a full recovery may be bridge too far. UK businesses are currently unprepared for the seismic waves that can decimate an organisation caught unaware.”
The survey also found that 63% of businesses recognised reputational damage as an impact of a cyber attack, while more than a quarter (26%) of respondents said the head of PR and communications would be involved in cyber breach scenario planning, while just 42% include PR in their response protocol for a loss of third-party data.
The report also found that only 52% take into account loss of customers as a potential cost when calculating the possible business impact of a cyber breach. Meanwhile only 33% factored in forensic investigation or reviewing policies (36%) or regulatory fines (46%).
In addition, the report found that just 50% of businesses involved their boards at all in cyber security planning, compared to 96% who involve the head of IT.
Erceg noted: “Effective cyber breach planning must involve stakeholders from across the business. This is no longer the purview of a few IT specialists. The shock waves of a cyber attack are too damaging and too prevalent for businesses to not make it one of the biggest risks they face.
“Companies need to shift from a reactive to proactive approach to avoid and manage a cyber attack. Today, we should all be considering when, not if an attack will happen and protect ourselves from the risk.”