Cybersecurity incidents have cost UK mid-market firms a combined £30bn over the past year as automated attacks become the norm, according to Grant Thornton.
The accounting and consulting giant interviewed 500 UK business leaders from firms with revenue of between £15m and £1bn to compile its latest study, Cyber security: the board report.
It revealed that more than half of those polled had reported losses of between 3-10% of revenue following a cybersecurity breach. For those hit hardest, losses were up to 25% of revenue.
Reputational loss (58%) was the most commonly reported impact of a cyber-attack, followed by clean-up costs (45%), management time (44%), loss of turnover (39%), and customer churn/behavior change (35%).
Part of the problem is that many mid-market firms still believe they are able to avoid the scrutiny of cyber-criminals, and therefore pay less attention to security best practice.
Less than a third (31%) claimed to follow minimum cybersecurity standards, versus 46% of large companies; just half (48%) conduct risk assessments versus 69% in larger enterprises; and 55% do cyber health checks compared to 64%.
Risks will only increase as automated attack techniques grow in popularity – enabling vulnerability identification, credential stuffing, and open source information scraping en masse.
“It’s the equivalent of thieves driving down a street to see who’s left their door open. Criminals exploit the vulnerable networks they identify or sell the list of promising targets on to others eager to exploit the opportunity. If your defenses are not up to scratch, you could already be on a list,” argued Grant Thornton head of cybersecurity, James Arthur.
“The reality is that it’s not the size or profile of a business that attracts the interest of cyber-criminals. They have increasingly sophisticated targeting tools and are using these to launch an increasing volume of attacks against anyone who looks like they have weak defenses. It’s not personal – it’s just business.”
Putting cyber risk on the board agenda is one of the best ways to regain the initiative and minimize the chances of a successful attack, but challenges persist, the consultancy claimed.
Only two-fifths (41%) of respondents claimed to have an incident response plan in place, and even fewer (37%) said their board formally reviews cybersecurity, or that there’s a security-specific role on the board (37%). Just 36% said they had provided all staff with security training over the past year.
In most cases the board member with responsibility for cyber is the CIO (31%), CTO (23%), CEO (16%) or CFO (15%). Chief security officer doesn’t feature at all.