article banner
news release

UK mid-market boards ignoring £30 billion cyber risk

New research from leading business and financial adviser Grant Thornton UK LLP finds that cyber-attacks are a clear and present danger for mid-market* businesses in the UK, but boards are not effectively prepared to manage the risk.

  • In the last 12 months, the total cost of cyber security breaches to UK mid-market businesses has reached at least £30 billion
  • Yet 63 per cent of UK mid-market businesses do not have a board member responsible for cyber security
  • Only one in three (36%) have provided all their employees with cyber security training in the last 12 months
  • Over half of the business surveyed (59%) do not have a cyber incident response plan in place

Released today, Grant Thornton’s report ‘Cyber Security – the Board Report’**, estimates that in the last 12 months, the total cost of cyber security breaches to UK mid-market businesses has reached at least £30 billion***.

More than half (53%) of the companies interviewed reported losses equivalent to 3-10 per cent of revenue following a cyber-breach. For those businesses hit most severely, losses can reach up to 25 per cent of revenue. Six per cent of the businesses surveyed reported a loss of this size (11 to 25% of revenue).

Despite this, the research found that almost two thirds (63%) of the companies interviewed had no board member with specific responsibility for cyber security. Sixty-three per cent of those questioned also said that the board does not formally review cyber security risks and management.

The organisations interviewed were also under prepared in terms of making their people aware of cyber risks, with only one in three (36%) providing all their employees with cyber security training in the last 12 months.

James Arthur, partner and head of cyber consulting at Grant Thornton UK LLP, said:

“Boards have a key role to play in ensuring an effective cyber strategy is in place. Putting cyber-crime onto the board’s agenda is one of the most effective ways to minimise the chances of a successful attack and reduce the financial impact if a breach occurs. With that in mind it is worrying that almost two thirds of the businesses we interviewed do not have a board member responsible for cyber security.

“While commitment from the top is vital, ensuring your people are properly trained is also essential. Often, companies make themselves vulnerable to attack simply by failing to get the basics right. Training to raise employee awareness can have a hugely positive impact on cyber security. People are often unaware of the important role they play in helping a business to stay protected, so companies of all sizes need to ensure they have regular and ongoing cyber security training in place.”

Misplaced confidence in cyber capabilities 

Almost 70 per cent of the respondents felt confident in their ability to respond consistently at any time to a cyber-attack across their entire organisation. Conversely, over half of the businesses surveyed do not have a cyber incident response plan in place (59%).

The importance of having a well-rehearsed plan of action cannot be underestimated. The research found that companies that have an incident response plan in place experience lower financial losses from a cyber-attack than those that don’t.

James Arthur continued:

“Cyber-crime represents a serious threat to every UK business and, as our research shows, just one successful attack can amount to a huge revenue loss. Mid-market companies are particularly vulnerable as they have a level of resources that make them an attractive target but are less likely to implement best-in-class cyber security compared to larger companies.

“Businesses need to understand where their weak points are in order to counter the threat effectively. Yet our research shows that perceived and actual vulnerability often don’t match up, with many businesses feeling confident in their cyber management capacity but having no meaningful response plans in place. A pre-prepared, effective response plan allows a business to do the right thing as fast as possible, in a situation where every minute counts.

“Many companies are relying on regular data backups to be able to recover rapidly from cyber incidents but with modern ransomware specifically designed to spend up to six months infecting entire networks, including data backups, this cannot be relied upon as a core component of a response plan.”

The report identifies six key areas that mid-market boards should be focusing on to ensure they are properly prepared, including;

  • establishing a cyber incident response plan
  • regularly rehearsing the response plan using a range of different scenarios
  • monitoring and managing the risk posed from their supply chain
  • ensuring they understand the terms of their insurance and what is covered
  • understanding what ‘normal’ looks like for their business, in terms of application usage, so they can identify any unfamiliar patterns
  • investing in regular training and raising their people’s awareness of cyber security.

James Arthur concluded:

“Effective cyber-security does not need to cost the earth and goes beyond simply investing in new technology. There are simple, specific steps companies can take, such as implementing a meaningful cyber response plan and understanding what is ‘normal’ for their business, to put themselves in a much stronger position.

“Cyber risk management should be fundamental for every business striving to grow in a connected, digital world and boards need to recognise its importance. No business – whatever its size or sector – is immune.”

 

Notes to editors

* mid-market defined as companies with turnover between £15m and £1bn per annum.

** For the ‘Cyber Security – the Board Report’ Grant Thornton surveyed 509 mid-market companies in November 2018

*** estimates for the loss of revenue were generated by taking the total revenue of the mid-market in the UK (EIU) and Grant Thornton’s survey data on the percentage of mid-market companies that faced cyber-attacks in the last 12 months and the average losses from these attacks.