The UK’s businesses are massively under-reporting cybercrime and are woefully inequipped to deal with attacks despite being aware of the risks, according to a new Institute of Directors (IoD) study.
The research, culled from interviews with nearly 1000 IoD members, revealed that just 28% have reported an incident to the police despite half (49%) of attacks resulting in disruption to the business.
There’s also a disconnect between directors’ understanding of the risks of cyber-attacks and their readiness to deal with them.
Some 91% said cybersecurity is important but only half (57%) have a formal plan in place to defend against attacks; a similar number (49%) said they provide awareness training to staff and just one fifth have taken out cyber insurance.
A disappointing 68% of IoD members interviewed said they’d never heard of the government’s national fraud and cybercrime reporting center Action Fraud. In fact, even the IoD report erroneously refers to the center as ‘Action Fraud Aware.’
“Our report shows that cyber must stop being treated as the domain of the IT department and should be a boardroom priority,” said report author Richard Benham, in a statement. “Businesses need to develop a cybersecurity policy, educate their staff, review supplier contracts and think about cyber insurance.”
Richard Brown, director of EMEA channels and alliances at Arbor Networks, argued that the answer to improving cyber-resilience involves people, process and technology.
“Organizations need to be vigilant, looking out for any suspicious activity to avoid becoming a victim of an attack or a ransom,” he added.
“What’s becoming essential, especially for larger organizations and high-value targets, is having the ability to detect and contain threats quickly – even when they make it past the perimeter defenses.”
The problem of under-reporting cybercrime has been endemic for years in the UK, which currently has no mandatory breach disclosure laws.
Even so, industry body techUK claimed in a report gleaned from FoI requests last year that regional police forces are struggling to cope with recording and responding to cybercrime incidents.
Non-reporting of incidents also makes it difficult to understand the true scale of the cybercrime problem in this country, and means industry as a whole and law enforcement can’t benefit from anonymized threat intelligence sharing.