One third of global business decision makers report that their organization would try to cut costs by considering paying a ransom demand from a hacker rather than invest in information security. In the UK, this figure drops to a fifth (21 percent) of respondents. The findings from the 2018 Risk:Value Report, commissioned by NTT Security, show that another 30 percent in the UK are not sure if they would pay or not, suggesting that only around half are prepared to invest in security to proactively protect the business.
Examining business attitudes to risk and the value of information security, NTT Security’s annual Risk:Value Report surveys C-level executives and other decision makers from non-IT functions in 12 countries across Europe, the US and APAC and from multiple industry sectors.
Levels of confidence about being vulnerable to attack also seem unrealistic, according to the report. 41 percent of respondents in the UK claim that their organization has not been affected by a data breach, compared to 47 percent globally. More realistically, of those in the UK, 10 percent expect to suffer a breach, but nearly a third (31 percent) do not expect to suffer a breach at all. More worrying is the 22 percent of UK respondents who are not sure if they have suffered a breach or not. Given that just 4 percent of respondents in the UK see poor information security as the single greatest risk to the business, this is unsurprising. Notably, 14 percent regard Brexit as the single greatest business risk, although competitors taking market share (24 percent) and budget cuts (18 percent) top the table.
Business impact and estimated costs of a breach
When considering the impact of a breach, UK respondents are most concerned about what a data breach will do to their image, with almost three-quarters (73 percent) concerned about loss of customer confidence and damage to reputation (69 percent). The highest figures for any country.
The estimated loss in terms of revenue is 9.72 percent (compared to 10.29 percent globally, up from 2017’s 9.95 percent). Executives in Europe are more optimistic, expecting lower revenue losses than those in the US or APAC.
The estimated cost of recovery globally, on average, has increased to $1.52m, up from $1.35m in 2017, although UK estimates are lower at $1.33m this year. Globally, respondents anticipate it would take 57 days to recover from a breach, down from 74 days in 2017. However, in the UK, decision makers are more optimistic believing it would take just 47 days to recover, one of the lowest estimates for any country.
Whose responsibility is security?
According to Risk:Value, there is no clear consensus on who is responsible for day to day security, with 19 percent of UK respondents saying the CIO is responsible, compared to 21 percent for the CEO, 18 percent for the CISO and 17 percent for the IT director. Global figures are very similar.
One area of concern, however, is whether there are regular boardroom discussions about security, with 84 percent of UK respondents agreeing that preventing a security attack should be a regular item on the Board’s agenda. Yet only around half (53 percent) admit it is and a quarter don’t know.
How prepared are organisations?
UK respondents estimate that the operations department spent noticeably more of its budget on security (17.02 percent) than the IT department did (12.94 percent). This compares to the global figures of 17.84 percent (operations) and 14.32 percent (IT), on average.
Each year the NTT Security Risk:Value report shows that companies are still failing when it comes to communicating information security policies. An impressive 77 percent in the UK (compared to 57 percent globally) claim to have a policy in place, while 10 percent (26 percent globally) are working on one. While 85 percent of UK respondents with a policy in place say this is actively communicated internally, less than a third (30 percent) admit that employees are fully aware of it.
In terms of incident response planning, the UK is the most well prepared with 63 percent of respondents saying their organization has already implemented a response plan, well above the global figure of 49 percent, while 18 percent are in the process. Just 1 percent in the UK say they have no plans to implement an incident response plan.