UK businesses still not preparing effectively for cyber attacks

Recent research by PwC finds that more than a quarter of UK organisations (28%) don’t know how many cyber attacks they suffered in the past year and a third (33%) admit to not knowing how the incidents they faced occurred.

The annual study is based on interviews with 9,500 senior business and technology executives from 122 countries, including 560 UK respondents spanning large to small businesses and public sector organisations.

Richard Horne, cyber security partner at PwC, commented: “Cyber attacks could happen to any organisation at any time, so it’s important that all businesses and public sector organisations are getting the basics right and continually testing their approach to prepare themselves in the right way. In that critical moment when an attack hits, the ability to act quickly and effectively is key to minimising business disruption and reputational harm.”

The report reveals that, whilst only 14% of UK companies reported facing direct financial losses as a result of security incidents, the average total financial cost of incidents this year is £857,000 and the impact of these breaches was felt more widely across both business operations and data:

  • UK organisations faced an average of 19 hours down-time due to security incidents;
  • 23% had customer records compromised;
  • 20% had employee records compromised; and
  • 21% reported loss or damage of internal records.

Despite this, fewer UK organisations have a cyber insurance policy in place to cover the various impacts of breaches (UK: 44%; global: 58%).

The average information security budget amongst UK businesses and public sector organisations last year was £3.9m. The majority (64%) of organisations surveyed have an overall security strategy in place and 53% agree that spending is based exclusively on risk. However, only 34% have boards actively participating in the strategy compared to the global average of 44%.