Newsroom / Risk Management
UK Businesses Severely Unprepared for the Seismic Aftershock of a Cyber Attack

(LONDON) –15 August 2017 – A new report by Lockton, the world’s largest global independent insurance broker reveals the extent to which UK businesses are unprepared for the potential length and severity of a cyber security breach.

“Companies need to shift from a reactive to proactive approach to avoid and manage a cyberattack,” said Peter Erceg, SVP of Global Cyber & Technology at Lockton. “Today, we should all be considering when, not if an attack will happen and protect ourselves from the risk.”

In ‘Cyber Aftershock: How UK companies underestimate the seismic waves produced by a data breach’, Lockton reveals that fully half of UK companies, 50 percent, expect to be entirely operational 48 hours after a large-scale cyber security breach. The survey of senior decision-makers shows that only two percent of UK businesses think a breach will affect them for more than 10 days.

“The fact that so few businesses are aware of the aftershocks caused by a cyberattack is concerning,” said Erceg. “It can take several months, if not years, to become entirely operational again after a large-scale breach – and for some firms a full recovery may be a bridge too far. UK businesses are currently unprepared for the seismic waves that can decimate an organisation caught unaware.”

Reputational damage is one of the most recognised impacts on a business following a loss of third party data, identified by 63 percent of businesses in Lockton’s report. Yet only a quarter, 26 percent, of UK companies say the head of public relations and communications is involved in cyber breach scenario planning at all. Also, just 42 percent of businesses include managing public relations in their current response protocol for a loss of third party data, making this the action least likely to be undertaken following an attack.

Erceg noted that a large-scale leak is impossible to hide, so communicating this proactively and properly to stakeholders – both internal and external – is vital.

“In recent times a number of big brands have become synonymous with the large, well-publicised attacks that have befallen them, in part because they didn’t take communication seriously enough,” Erceg said. “It could take years for them to shed that stigma.”

The report also found that only half of UK businesses 52 percent take into account loss of customers as a potential cost when calculating the possible business impact of a cyber breach. They are most likely to consider lost revenue and the cost of data loss.

Other costs – such as a forensic investigation or reviewing policies or regulatory fines are being forgotten. “The less quantifiable costs of a cyberattack take the longest for a business to recover from,” Erceg said. 

Additionally, fine-tuning internal processes is vital to prevent a cyberattack, but the report found that 26 percent of businesses do not always make new staff aware of cyber security policies, and a similar proportion of staff are unaware of who to contact if they spot or experience an attempted breach. In fact, 58 percent say only key staff who work directly with internal IT systems know the correct protocol for reporting or handling a breach. This problem may be compounded by the fact that only seven percent of HR heads are involved in cyberattack planning.

“Ninety five percent of cyber security incidents are a result of human error,” said Erceg. “Training and internal policy must be the first line of defence to avoid a large-scale attack. Modern hackers prey on unsuspecting or inattentive staff to gain access to businesses.”

Board engagement is also low, with just 50 percent of businesses involving their boards at all in cyber security planning, compared to 96 percent who involve the head of IT. Just over a quarter, 26 percent, deem the board to be the most influential in tackling cybercrime.

“Effective cyber breach planning must involve stakeholders from across the business. This is no longer the purview of a few IT specialists,” Erceg said. “The shock waves of a cyberattacks are too damaging and too prevalent for businesses to not make it one of the biggest risks they face.”

About Lockton

Lockton is a global professional services firm with 6,500 Associates who advise clients on protecting their people, property and reputations. Lockton has grown to become the world’s largest privately held, independent insurance broker by helping clients achieve their business objectives.

For eight consecutive years, Business Insurance magazine has recognized Lockton as a "Best Place to Work in Insurance." To see the latest insights from Lockton's experts, check Lockton Market Update.

< Back to Newsroom Updates
Discover more Insights & Publications  |  Read more in the Lockton Newsroom  |  See our Client Stories
Discover more Insights & Publications
See our Client Stories