Cyber-attacks cost businesses an estimated £200bn ($315bn) over the past 12 months, according to new research from business advisory firm Grant Thornton International.
The firm poled 2500 business leaders in 35 countries to compile its International Business Report (IBR) and found 15% have been targeted by attackers during the period.
That figure rose even higher for organizations in Europe (19%) and North America (18%).
However, perhaps a sign of the maturity of these markets, the estimated loss of business revenues was significantly lower in the EU ($62.3bn) and North America ($61.3bn) than APAC ($81.3bn).
The research revealed that, on average, a successful online attack will cost around 1.2% of business revenues. Yet only 52% of those surveyed said they have a security strategy in place.
Perhaps unsurprisingly the financial services sector was most concerned about the risk of cyber-attack with three-quarters (74%) of respondents claiming online attacks are a threat to the business.
It’s no coincidence that this sector has the joint highest recorded instance of cybercrime – 26% of respondents.
Conversely, just 27% of those working in transport said they saw cyber-attacks as a threat, with only 10% claiming to have reported such an attack in the past year.
Of those firms that have implemented a cybersecurity strategy, the top drivers are customer demand (44%), and an increased use of automation/emerging tech which could lead to greater risk exposure (41%).
Grant Thornton head of cyber resilience, Manu Sharma, told Infosecurity there are several reasons why so many global organizations have yet to formulate a cyber security strategy.
“Some of them do not know where to start and what threats are applicable to them. Some do not have the drive from top management and cyber security strategy remains at the IT level,” he added.
“And some firms have a strategy but it is not comprehensive and is not updated as threats change or evolve.”
Sharma explained that firms must first identify what data and processes are critical to the business and then “apply security controls to protect specific data and build security controls around critical processes.”