Lockton: UK businesses severely unprepared for cyber-attack aftershocks
Half of UK companies expect to be entirely operational 48 hours after a large-scale cyber security breach.
The insurance broker Lockton said a survey of senior decision-makers found only 2% of UK businesses think a breach will affect them for more than 10 days.
Reputational damage is one of the most recognised impacts on a business following a loss of third party data, identified by 63% of businesses in Lockton’s report.
Yet only a quarter (26%) of UK companies say the head of PR and communications is involved in cyber breach scenario planning at all.
Also, just 42% of businesses include managing public relations in their current response protocol for a loss of third party data, making this the action least likely to be undertaken following an attack.
The full Lockton report is available at ‘Cyber Aftershock: How UK companies underestimate the seismic waves produced by a data breach’,
Peter Erceg, SVP of Global Cyber & Technology at Lockton said: “The fact that so few businesses are aware of the aftershocks caused by a cyber attack is concerning. It can take several months, if not years, to become entirely operational again after a large-scale breach – and for some firms a full recovery may be bridge too far. UK businesses are currently unprepared for the seismic waves that can decimate an organisation caught unaware.”
Erceg noted that a large-scale leak is impossible to hide, so communicating this proactively and properly to stakeholders – both internal and external – is vital.
He said: “In recent times a number of big brands have become synonymous with the large, well-publicised attacks that have befallen them, in part because they didn’t take communication seriously enough. It could take years for them to shed that stigma.”
The report also found that only half of UK businesses (52%) take into account loss of customers as a potential cost when calculating the possible business impact of a cyber breach.
They are most likely to consider lost revenue (72%) and the cost of data loss (69%).
Other costs – such as a forensic investigation (33%) or reviewing policies (36%) or regulatory fines (46%) are being forgotten.
Erceg noted these ‘invisible’ costs of a cyber attack are often the mostly costly and damaging. “The less quantifiable costs of a cyber attack take the longest for a business to recover from,” he said.