UK businesses are “severely unprepared” for the potential length and severity of a cyberattack, with half expecting to be fully operational after a large-scale breach within 48 hours, according to a new report from broking giant Lockton.
Businesses are underestimating the “seismic waves that can decimate an organisation caught unaware,” with only 2% expecting an attack to affect business for more than 10 days, Peter Erceg, SVP of global cyber & technology at Lockton, said.
“The fact that so few businesses are aware of the aftershocks caused by a cyberattack is concerning,” he commented. “It can take several months, if not years, to become entirely operational again after a large-scale breach – and for some firms a full recovery may be a bridge too far.”
One of the key issues causing the gulf between businesses’s perception of the potential impact of an attack and the reality, is that there is often a separation within companies between those with IT expertise and those with business knowledge, according to Erceg.
Companies that leave their cyber security down to IT staff, who may have a limited understanding of the broader business, should not be surprised when a cyber issue has a significantly wider impact, the SVP told Insurance Business.
“I think it’s always been difficult to articulate from an IT point of view actually what the business impact would be. If you had a purely IT person who didn’t really understand the business side, articulating a business risk is difficult,” Erceg explained. “It’s still unfortunately seen as an IT issue, and companies think they can build a bigger wall that will stop the bad guys getting in.”
There is a “critical” need for better knowledge of cyber and IT issues throughout companies’ senior management, particularly at board level.
“If I’m a CEO but I don’t understand the risks I’m running in the digital world, yet a fair chunk of my business is in digital, then I’m underestimating a significant part of risk to my business. If I don’t understand it as a CEO, I need to have a couple of people on the board at least that get it, and it can’t just be the IT person,” commented Erceg. “To have a gap in cyber I think is a huge black spot in the understanding of the risks that a business runs.”
In the US, where the cyber market is more evolved, chief information security officers are often given higher status, but that trend has not yet filtered through to the European or Asian markets.
“I think that will come over time, but that’s the fundamental issue,” Erceg said. “It’s not a quick fix that can happen overnight.”
Related stories:
Cyber insurance: the risk your clients need to know about
New data protection laws to have “considerable impact” on insurance industry