UK organisations are not preparing adequately for cyber attacks despite the increased threat, according to a new study.
PwC’s Global State of Information Security Survey 2018 found that nearly one in five (17 per cent) do not prepare or drill for such attacks, while fewer than half (49 per cent) conduct penetration tests to examine their defences.
More than a quarter (28 per cent) do not know how many cyber attacks they suffered in the past year and a third (33 per cent) admit to not knowing how the incidents they faced occurred.
The report was compiled from interviews with 9,500 senior business and technology executives from 122 countries.
These included 560 UK respondents, spanning large to small businesses and public sector organisations.
“Cyber attacks could happen to any organisation at any time, so it’s important that all businesses and public sector organisations are getting the basics right and continually testing their approach to prepare themselves in the right way,” said Richard Horne, cyber security partner at PwC.
“In that critical moment when an attack hits, the ability to act quickly and effectively is key to minimising business disruption and reputational harm.”
UK organisations remain more reluctant than their global peers to join forces with others in the fight to reduce cyber risk. Only two in five UK respondents (44 per cent) formally collaborate with others in their industry to improve security and reduce the potential for future risks, compared with 54 per cent across Europe and 58 per cent globally.
Even within their own organisation, only just over half of UK respondents have a cross-organisational team in place – including leaders from finance, legal, risk, human resources, and IT/security – which meets regularly to coordinate and communicate information security issues.
“Cyber security needs to be viewed as a ‘team sport’ rather than just an issue for the IT team,” said Horne. “To be most effective, everyone in an organisation should be considering the security implications of their actions. Pulling a business together like that requires strong leadership from the top.
“Working with others across the public and private sector is key too. Forging close working collaborations and sharing intelligence is often the best way to tackle the latest threats. New forms of attack require new ways of working to defend our society.”
Whilst only 14 per cent of UK companies reported facing direct financial losses as a result of security incidents, and the average total financial cost of incidents actually decreasing this year to £857,000, the impact of these breaches was felt more widely across both business operations and data.
UK organisations faced an average of 19 hours down-time due to security incidents, while 23 per cent had customer records compromised, 20 per cent had employee records compromised and 21 per cent reported loss or damage of internal records.
Despite this, fewer UK organisations have a cyber insurance policy in place to cover the various impacts of breaches – 44 per cent in the UK compared with 58 per cent globally.