Over 90% of European businesses have suffered a data breach in the past five years but fewer than half are concerned about it happening again, and awareness of the coming changes in European regulations is worryingly low, according to Lloyds.
The insurance market claimed in a new report that of the 346 senior decision-makers it spoke to at large businesses, 92% had been breached and 42% were concerned about history repeating itself in the future.
And while 97% said they’d heard of the General Data Protection Regulation (GDPR), over half (57%) claimed they know “little” or “nothing” about it.
This is despite the more positive news from the research that cyber risk has become a board-level issue over the past year, with CEOs rather than CIOs driving breach mitigation plans in a majority (54%) of cases.
Cyber insurance is also little understood, with nearly three-quarters (73%) of business leaders admitting they have limited knowledge of this growing industry.
“It is reassuring that responsibility for cyber risk is sitting at the most senior level of businesses, but it is clear that too many firms do not believe that the dangers of a breach will severely impact them,” said Lloyds CEO Inga Beale, in a statement.
“I’m afraid we no longer live in a world where you can prevent breaches taking place, instead it is about how you manage them and what measures you have in place to protect your business and importantly, your customers. As recent events have shown, hard-earned reputations can be lost in a flash if you do not have the correct plans in place.”
The top internal threats identified by respondents were loss of paper or non-electronic devices (42%), malicious insiders (42%), human error (41%) and lost, stolen or discarded equipment (41%).
The top external threats listed were hacking for financial gain (51%), hacktivism (46%), and hacking by a competitor (41%).
Amazingly, only 13% said they were worried about loss of customers as the result of a breach.
Stephen Love, EMEA security practice lead for Insight, warned that firms need to start planning for GDPR now.
“For an organization to adhere to the new EU data regulation, they first need to identify the key data that they need to protect, understand where it resides and what value the data has. Additionally, and perhaps most importantly, companies need to evaluate who has access to this data. Once this is established, the organization needs to create a security strategy and policies that will enable them to not only protect this data but also secure admittance to it,” he explained.
“Further solutions can then be implemented to secure the data, from cutting edge, next generation firewall solutions to data loss prevention tools, ensuring the integrity of the data. Identity and access management solutions and multi-factor authentication will also allow for the governance and control of user admission to on-premise and cloud services.”