Many UK companies lack formal cyber security policies and a plan to manage incidents when they occur, according to newly published research commissioned by the UK government.
The Cyber Security Breaches Survey 2016 revealed that 65% of major UK businesses experienced at least one cyber security breach or attack in the past year, with a quarter of large firms falling victim to breaches experiencing such incidents at least a monthly basis.
Cyber security is a "high priority area" for 90% of large businesses in the UK and is a very high or fairly high priority for 69% of all UK companies, according to the survey.
However, just 29% of UK companies have written cyber security policies and only 10% of businesses have "formal incident management processes", a report into the study said. In addition, the survey found that many businesses have not implemented cyber security measures in line with government guidance, in particular the cyber essentials scheme and the '10 steps' guide, or provided cyber security training to staff in the last year.
"Training staff in advance is a key ingredient for the successful management of a security incident," cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said. "Unless staff are aware of and have rehearsed incident response plans, for example, they are unlikely to be in a position to implement it properly."
Minister for the digital economy Ed Vaizey said the survey identified "a gap between awareness and action" on cyber risk.
"The UK is a world-leading digital economy and this government has made cyber security a top priority," Vaizey said. "Too many firms are losing money, data and consumer confidence with the vast number of cyber attacks. It’s absolutely crucial businesses are secure and can protect data. As a minimum companies should take action by adopting the Cyber Essentials scheme which will help them protect themselves."
The survey also showed that large businesses are more likely to take more steps to address cyber risks than smaller companies. However, it showed that just 13% of all UK companies, and 34% of large UK businesses, "set minimum cyber security standards for their suppliers". Just 20% of UK companies "validate the suppliers" of cloud computing services, it said.
Birdsey said that the major data breach to hit US retail giant Target is a prominent example of a cyber attack that originated from the theft of network credentials from a supplier of the company.
According to the new report, more than a third of UK companies (37%) said they have "some form of cyber security insurance", although in many instances coverage is "a bolt-on to broader insurance policies, such as professional indemnity insurance". The government said that this means businesses may not actually be covered if cyber risks materialise.
"In these [bolt-on] cases, businesses had not sought out cyber security insurance specifically and there was a general lack of knowledge about what was covered within these policies," the report said. "This finding chimes with previous insurance industry estimates, which suggest that in actual fact the overwhelming majority of businesses are not insured specifically against cyber security breaches. In other words, while two-fifths think they are insured, they may not be covered if they have a breach."
Birdsey said the warning "accords with his recent claims experience".
"Cyber extensions to existing policies may leave the insured company with gaps in cover, or the application of sub-limits may leave uninsured exposures," Birdsey said. "Given the broad and varied nature of cyber exposures, a specialist and tailored cyber insurance policy is required to afford adequate protection."
Viruses, spyware and malware were cited as the most common sources of cyber security breaches by UK businesses. On average, security breaches cost large UK businesses £36,500 per incident, although one such incident cost one business £3 million, the report said.
"Cases like this highlight that individual breaches or attacks can have large financial ramifications for a business, and they underpin the importance of businesses taking action to prevent and protect against these kinds of attacks," the report said.
Birdsey said that data breach costs can be expected to rise after the new General Data Protection Regulation takes effect due to the administrative costs that will stem from new obligations on data breach notification as well as the much larger potential fines companies could be served for such incidents. He also warned that a further cost of data breaches can be to a company's reputation and brand.