Research from Grant Thornton UK has identified cyber-attacks as a clear and present danger for mid-market businesses in the UK, but warns that boards are not effectively prepared to manage the risk. In the last 12 months, the total cost of cyber security breaches to UK mid-market businesses has reached at least £30bn yet 63 per cent of UK mid-market businesses do not have a board member responsible for cyber security.
More than half (53%) of the companies interviewed reported losses equivalent to 3-10% of revenue following a cyber-breach. For those businesses hit most severely, losses can reach up to 25% of revenue. Six per cent of the businesses surveyed reported a loss of this size (11 to 25% of revenue).
Despite this, the research found that almost two thirds (63%) of the companies interviewed had no board member with specific responsibility for cyber security and that the board does not formally review cyber security risks and management.
The organisations interviewed were also under-prepared in terms of making their people aware of cyber risks, with only one in three (36%) providing all their employees with cyber security training in the last 12 months.
Almost 70 per cent of the respondents felt confident in their ability to respond consistently at any time to a cyber-attack across their entire organisation. Conversely, over half of the businesses surveyed do not have a cyber incident response plan in place (59%). However, the research found that companies that have an incident response plan in place experience lower financial losses from a cyber-attack than those that don’t.
The report identifies six key areas that mid-market boards should be focusing on to ensure they are properly prepared, including;
- establishing a cyber incident response plan
- regularly rehearsing the response plan using a range of different scenarios
- monitoring and managing the risk posed from their supply chain
- ensuring they understand the terms of their insurance and what is covered
- understanding what ‘normal’ looks like for their business, in terms of application usage, so they can identify any unfamiliar patterns
- investing in regular training and raising their people’s awareness of cyber security.