The cost of recovering from a data security breach for UK organisations has been estimated at £1.1 million ($1.4m) by NTT Security.
The study of business decision makers’ attitudes to risk and the value of information security reveals that UK respondents anticipate it would take almost three months (80 days) to recover from an attack.
The annual study of 1,350 non-IT business decision makers across 11 countries found the global average was 74 days.
UK respondents also predict a significant impact on their organisation’s revenue, suggesting as much as a 9.5% drop.
Cost of breach
UK decision makers expect a data breach to cause short-term financial losses, and affect the organisation’s long-term ability to do business. Businesses estimated the following could occur after a security incident:
- Loss of customer confidence (63%)
- Damage to reputation (67%)
- Financial loss (44%), while one in 10 anticipate
- Staff losses (10%)
- Senior executives resign (9%)
Most telling is that 63% of respondents in the UK agree that a data breach is inevitable at some point. This is up from the previous year’s UK figure of 57%. However, less than half (47%) say that preventing a security attack is a regular board agenda item. This suggests more still needs to be done for it to be taken seriously at a boardroom level.
Linda McCormack, Vice President UK & Ireland at NTT Security, comments: “Companies are absolutely right to worry about the financial impact of a data breach – both in terms of short-term financial losses and long-term brand and reputational damage. Although this year’s £1.1 million figure is slightly down on last year’s report (£1.2m), no company, regardless of its size, sector or focus, can afford to ignore the consequences of what are increasingly sophisticated and targeted security attacks, like the widespread and damaging ransomware attack we recently witnessed.“
More positively, 72% of UK business decision makers say their organisation has a formal information security policy in place. This is compared with a global average of over half (56%). Another 16% are in the process of implementing one. But, while 83% say it has been communicated internally, less than a third say employees are fully aware of it.
The study also raises concerns over the use and sharing of incident response plans for when a breach does happen. Around two-thirds (65%) of UK respondents say their organisation has an incident response plan, above the global average of 48%. However, less than half (44%) of business decision makers were fully aware of what the incident response plan includes.
“Creating security policies seems to be a work in progress for many UK businesses. Unfortunately they become redundant if they are not properly communicated and shared throughout the whole organisation, and sadly this report backs that up. We see time and again organisations with good intentions when it comes to security and response planning, but then it falls to the bottom of the priority list due to a lack of resources, budgets and time. The fact that they are struggling to find the right resources and processes to support the fundamentals in information security and risk management planning is a major concern,’’ adds McCormack.
Breaking the bank
On the subject of budget, only an estimated 14.4% of respondent organisation’s operations budget is spent on information security. Whats more 13.7% of their IT budget is estimated to be spent on security. This compares to 15.5% and 14.6% respectively across all of the countries surveyed. More than a third in the UK say their organisation is spending less on information/data security than R&D (36%), HR (36%) and Marketing (36%).
Download the 2017 Risk:Value report: www.nttsecurity.com/RiskValue2017.