The cost of cyber security breaches to UK mid-market business has reached at least £30bn and yet many boards have yet to take steps to directly address the issue according to a new report. Research by Grant Thornton found that more than half (53%) of the companies interviewed reported losses equivalent to 3-10% of revenue following a cyber breach. For those businesses hit most severely, losses can reach up to 25%.

Despite this, the research found that almost two thirds (63%) of the companies interviewed had no board member with specific responsibility for cyber security. 63% also said that the board does not formally review cyber security risks and management. The organisations interviewed were also under-prepared in terms of making their people aware of cyber risks, with only one in three (36%) providing all their employees with cyber security training in the last 12 months.

James Arthur, partner and head of cyber consulting at Grant Thornton UK, said: “Boards have a key role to play in ensuring an effective cyber strategy is in place. Putting cyber-crime onto the board’s agenda is one of the most effective ways to minimise the chances of a successful attack and reduce the financial impact if a breach occurs. With that in mind it is worrying that almost two thirds of the businesses we interviewed do not have a board member responsible for cyber security.

“While commitment from the top is vital, ensuring your people are properly trained is also essential. Often, companies make themselves vulnerable to attack simply by failing to get the basics right. Training to raise employee awareness can have a hugely positive impact on cyber security. People are often unaware of the important role they play in helping a business to stay protected, so companies of all sizes need to ensure they have regular and ongoing cyber security training in place.”

Almost 70% of the respondents felt confident in their ability to respond consistently at any time to a cyber-attack across their entire organisation. Conversely, over half of the businesses surveyed do not have a cyber incident response plan in place (59%).

Arthur added: “Businesses need to understand where their weak points are in order to counter the threat effectively. Yet our research shows that perceived and actual vulnerability often don’t match up, with many businesses feeling confident in their cyber management capacity but having no meaningful response plans in place. A pre-prepared, effective response plan allows a business to do the right thing as fast as possible, in a situation where every minute counts.

“Many companies are relying on regular data backups to be able to recover rapidly from cyber incidents but with modern ransomware specifically designed to spend up to six months infecting entire networks, including data backups, this cannot be relied upon as a core component of a response plan.”

Share Story: