UK firms are being urged to do more to protect themselves from cyber criminals after the government's 2016 'Cyber Breaches Security Survey' found that two thirds of large businesses experienced a cyber breach or attack in the past year. Meanwhile, a report produced jointly by broker Marsh and lobbying body TheCityUK says financial services firms are at the forefront of the battle against cyber fraud – and it urges boards to take ownership of the issue.
Airmic states the two reports demonstrate that its members are right to be very concerned about cyber risk – a topic that looms large at the association’s annual conference in Harrogate this month.
The government research shows that in some cases the cost of cyber breaches and attacks to business reached millions of pounds, but the most common of those detected involved viruses, spyware or malware that would have been relatively easy to prevent.
The 'Cyber Security Breaches Survey' found that, while one in four large firms experiencing a breach did so at least once a month, only 50% had taken any recommended actions to identify and address vulnerabilities. Even fewer, about a third of all firms, had formal written cyber security policies, and only 10% had an incident management plan in place.
The survey found almost half of the top FTSE 350 businesses regarded cyber attacks as the biggest threat to their business when compared with other key risks - up from 29% in 2014. Yet only a third of these businesses understand the threat of a cyber attack and only a fifth have a clear view of the dangers of sharing information with third parties.
Despite these shortcomings, UK industry is getting better at managing cyber-risks, with almost two thirds of firms now setting out their approach to cyber security in their annual report.
In the City
Meanwhile, the Marsh and TheCityUK report - 'Cyber and the City' - argues that firms across the financial and related professional services industry need to take urgent action on cyber risk.
The report recognises the significant effort invested by UK authorities to encourage action on cyber risk. Nonetheless, survey evidence from Marsh supports the view that too few firms are tackling cyber in a cohesive way: only 30% of large firms have it as a top ten risk, only 39% have quantified the risk and just 30% have a response plan to a breach occurring.
'Cyber and the City' recommends that boards should hold management responsible for cyber risks instead of their IT departments. It adds that, since 95% of all cyber incidents involve human error, people and processes matter as much as technology when it comes to managing cyber threats.
“These two reports confirm our strongly held view that cyber is going to be a top challenge for our members for a long time”, said Airmic deputy CEO Julia Graham. “This is also a top priority for Airmic, and it is one that requires an holistic, enterprise-wide approach to risk management.”
Airmic will be holding a plenary session at its conference in Harrogate on June 7 in which two leading experts will reconstruct a real-life example of a cyber attack.