Only one-fifth of UK c-level executives from non-IT functions would pay hackers’ ransom demands to cut costs rather than invest in information security, compared with the global average of one-third, according to the latest report commissioned by NTT Security, which polled 1,800 global decision-makers.
The report shows that a further 30% in the UK are not sure whether they would pay or not, suggesting that only about half are prepared to invest in security to proactively protect the business. This means many businesses are still stuck in a reactive mindset when it comes to security.
The findings are particularly concerning, the report said, given the growth in ransomware, as identified in NTT Security’s Global Threat Intelligence Report (GTIR), published in April. According to the GTIR, ransomware attacks surged by 350% in 2017, accounting for 29% of all attacks in Europre, the Middle East and Africa and 7% of malware attacks worldwide.
Businesses are still making the same mistakes, the latest report said, failing to make any progress in crucial areas such as cyber security awareness and preparedness. “The stakes are rising, and companies are often standing still in the race to deal with security threats,” it said.
Levels of confidence about being vulnerable to attack also seem unrealistic, according to the report, with 41% of respondents in the UK claiming that their organisation has not been affected by a data breach, compared with 47% globally.
More realistically, 10% of UK respondents expect to suffer a breach, but nearly one-third (31%) do not expect to suffer a breach at all. More worrying, the report said, is the 22% of UK respondents who are not sure whether they have suffered a breach or not.
Given that just 4% of respondents in the UK see poor information security as the single greatest risk to their business, this is unsurprising, the report said. Only 14% regard Brexit as the single greatest business risk; the list of concerns was topped by competitors taking market share (24%) and budget cuts (18%).
When considering the impact of a breach, UK respondents are most concerned about what a data breach will do to their image, with almost three-quarters (73%) concerned about loss of customer confidence and damage to reputation (69%), which are the highest figures among the countries polled.
The estimated loss in terms of revenue is 9.72% (compared with 10.29% globally, up from 9.95% in 2017). Executives in Europe are more optimistic, expecting lower revenue losses than those in the US or the Asia-Pacific region.
The average estimated cost of recovery globally has risen to $1.52m, up from $1.35m in 2017, although UK estimates are lower at $1.33m this year. Globally, respondents expect it would take 57 days to recover from a breach, down from 74 days in 2017. But in the UK, decision-makers are more optimistic, believing it would take just 47 days to recover, one of the lowest estimates for any country.
Kai Grunwitz, senior vice-president for Europe at NTT Security, said: “We are seeing almost unprecedented levels of confidence among our respondents to this year’s report, with almost half claiming they have never experienced a data breach. Some might call it naivety and it perhaps suggests that many decision-makers within organisations are simply not close enough to the action and are looking at one of the most serious issues within business today with an idealistic, rather than realistic, view.
“This is reinforced by the worrying statistic that more than a third globally would rather pay a ransom demand than invest in their cyber security, especially given the big hike in ransomware detections and headline-grabbing incidents like WannaCry. While it’s encouraging that many organisations are prepared to take a long-term, proactive stance, there are still signs that many are still prepared to take a short-term, reactive approach to security in order to drive costs down.”
The report found there is no clear consensus on who is responsible for day-to-day security, with 19% of UK respondents saying the CIO is responsible, compared with 21% who said the CEO, 18% the CISO and 17% the IT director. Global figures are very similar.
“Senior management seem distracted when it comes to security, and there is no single executive role that is surfacing as ultimately responsible,” the report said.
A key area of concern, according to the report, is whether there are regular boardroom discussions about security, with 84% of UK respondents agreeing that preventing a security attack should be a regular item on the board’s agenda. Yet only about half (53%) admit that it is and a quarter do not know.
With a lack of cohesion at the top, organisations are still struggling to secure their most important digital assets, the report said.
Less than half (48%) of all respondents said they had fully secured all their critical data. The US bucked the trend, with 61% of respondents saying they had secured all their critical data, compared with 53% in the UK and France.
UK respondents estimated that their operations department spent noticeably more of its budget on security (17.02%) than the IT department did (12.94%). This is similar to global figures of 17.84% (operations) and 14.32% (IT), on average.
The report noted that once again, responses indicate that companies are still failing when it comes to communicating information security policies.
In terms of incident response planning, the UK is the best prepared, with 63% of respondents saying their organisation has already implemented a response plan, well above the global figure of 49%, while 18% are in the process. Just 1% in the UK said they have no plans to implement an incident response plan.
“The UK is leading the pack when it comes to planning for a security breach or for non-compliance of information/data security regulations,” said Grunwitz. “Given that the GDPR [General Data Protection Regulation] has just come into force, this is encouraging. However, while the majority claim their information security and response plans are well communicated internally, it seems that only a minority are ‘fully aware’ of them. This continues to be an area that businesses are failing on time and time again and needs to be addressed as a priority.”
Questions about the GDPR reveal that only one in three respondents globally believe that it affects them, and even in Europe, less than half of the respondents in any country thought they were subject to the GDPR.
A lack of clear leadership at board level, combined with a tendency to hand off responsibility for information security entirely to the IT department, creates the perfect conditions for an attacker to prove them wrong, the report concluded.