IT and financial leaders within the UK's largest corporations exhibit a significant lack of comprehension regarding cyber risk as a financial concern. This observation comes from a recent survey conducted by Resilience, a provider of cyber risk solutions, indicating that a substantial 74% of mid-to-large UK businesses have fallen victim to cybercrime.
The survey, which included responses from 206 financial and IT decision-makers at firms boasting annual revenues exceeding £100 million, has unveiled a stark discrepancy between the most common financial loss triggers for businesses and the issues that dominate public and media discussions. This disconnect underscores a pressing need for cybersecurity professionals to enhance their understanding and leverage appropriate solutions to facilitate better-informed decisions regarding cybersecurity investments and risk management.
Data breaches emerged as the primary concern for these business leaders, with 72% identifying them as their foremost cyber risk. In contrast, only 47% expressed significant apprehension regarding ransomware. This is notable particularly as the National Cyber Security Centre (NCSC) has labelled ransomware as the most substantial cyber threat in the UK. Despite ransomware being responsible for over 80% of financial losses among Resilience clients in 2023-24, the regulatory landscape surrounding data breaches, governed by the General Data Protection Regulation, mandates that companies report breaches within 72 hours, heightening the urgency for effective management.
Furthermore, the survey exposes a critical oversight in vendor risk management among business leaders. Although 83% profess familiarity with the vendor systems employed by their organisations, a mere 35% believe that their due diligence adequately mitigates cyber risks. Alarmingly, nearly half (47%) of the respondents have experienced disruptions lasting at least 12 hours due to issues linked to vendors.
Interestingly, larger businesses generally demonstrate a slightly enhanced understanding of vendor-associated risks. For instance, 44% of larger firms regard vendor outages as a significant concern, whereas the overall figure stands at 40%. Companies with revenues exceeding £750 million are also more inclined (43%) than their smaller counterparts, those with revenues under £250 million (24%), to view vendor due diligence as an effective strategy for reducing cyber threats.
As cybercriminals increasingly target larger enterprises, mid-sized firms often find themselves inadequately resourced to tackle third-party attacks effectively. Conversely, 34% of organisations with revenues over £1 billion reported no adverse impact from vendor outages; mid-sized businesses, however, tend to experience more challenges.
The survey further accentuates the necessity for mid-sized firms to enhance their perception of cyber risk in financial terms. The UK government estimates that cyber breaches cost mid-to-large businesses an average of £10,830 in 2023. Yet, only 54% of these firms maintain quantitative risk registers, thus hampering their capacity to evaluate the financial ramifications of cyber incidents. Understanding and quantifying cyber risks can empower business leaders to prioritise security measures, optimise insurance investments, and ultimately decrease the potential for considerable losses.
In examining the effectiveness of strategies to mitigate cyber incident impacts, it was noted that just 62% of leaders endorsed any specific measure as effective, with cybersecurity education emerging as the most frequently cited.
Vishaal ‘V8’ Hariprasad, CEO and co-founder of Resilience, commented on the survey findings, stating, “Cyber risk has become an undeniable reality for businesses of all sizes, yet our findings highlight a concerning gap in understanding and preparedness, particularly in how leaders assess and manage these risks as financial risks. Traditional approaches are no longer enough, and organisations must embrace a financial lens to improve their cyber business decision making and achieve cyber resilience. By quantifying and modelling potential impacts, investing in effective mitigation strategies, and ensuring return on investment on cyber insurance, business leaders can receive real value in countering cybercrime. Only by bridging these gaps can businesses stay resilient in the face of growing threats.”
The implications of these findings suggest a critical need for businesses to recalibrate their understanding of cyber risks and adapt their strategies accordingly as they navigate an increasingly complex digital landscape.
Source: Noah Wire Services