Despite the UK Government’s latest figures showing that 74% of mid-to-large UK businesses have experienced cybercrime, IT and financial leaders working at the UK’s largest firms demonstrate a poor understanding of cyber risk as a financial risk, finds a new survey from cyber risk solutions company Resilience.
The results demonstrate a gap in understanding between what actually drives the greatest financial losses for companies versus what drives the media conversation. The results also demonstrate an urgent need for cybersecurity leaders to educate and enable themselves with the right solutions in order to make better business decisions around cybersecurity investment and cyber risk management.
The survey, conducted in partnership with YouGov, surveyed 206 financial and IT decision makers across UK firms with an annual turnover of more than £100m.
Data breaches were the leading cause of concern for business leaders, with 72% identifying them as their primary cyber risk. In contrast, only 47% of leaders surveyed expressed concerns about ransomware, despite the National Cyber Security Centre (NCSC) recognising it as the UK’s most significant cyber threat.
While ransomware has larger financial ramifications for a company, being the cause of more than 80% of losses for Resilience clients in 2023-24, data breaches subject businesses to stricter scrutiny. Under General Data Protection Regulations, companies must report such incidents within 72 hours, adding pressure to effectively manage these breaches.
Third-party vendor oversight remains a separate blind spot for business leaders. While 83% of leaders claim to be ‘familiar’ with the third-party vendor systems that their businesses use, only 35% believe vendor due diligence to be effective in mitigating cyber risks. Moreover, nearly half (47%) admitted that they had been impacted for at least 12 hours as a result.
This disparity in understanding is less pronounced with larger businesses. Some 44% of large businesses surveyed consider vendor outages to be a key concern for their business, compared to a total of 40%. Businesses with annual turnovers of more than £750m are significantly more likely (43%) than those below £250m (24%) to view vendor due diligence as an effective measure to reduce exposure to losses from cyber incidents.
The resurgence of ‘big-game hunting’, with cybercriminals focusing on larger targets, means that growing mid-sized firms are increasing targets lacking the resources or budget to deal with third-party attacks effectively, unlike large companies. Indeed, 34% of companies with a turnover of at least £1bn went unscathed by vendor outages.
As costs and resources remain the primary constraining factor for mid-sized firms, business leaders must be better equipped to understand cyber risk in financial terms. According to the UK Government, cyber breaches cost mid-to-large-sized firms an average of £10,830 in 2023.
However, the survey found that only 54% of businesses kept quantitative risk registries, limiting their ability to oversee the financial ramifications of cyber-attacks. Quantifying cyber risk enables business leaders to prioritise security controls and insurance more effectively, optimise their return on investment, and minimise the likelihood of significant financial losses.
When considering measures companies can take to mitigate the impact of cyber incidents, no more than 62% of leaders determined any one measure effective, with education on cybersecurity (eg. among staff) the most commonly identified measure.
Other key findings from the survey include:
- Business interruption (38%) and data breaches (37%) were the leading insurance claims firms filed for
- Despite 93% of businesses surveyed having cyber insurance, only 45% of leaders claimed it was effective in reducing losses
- IT leaders generally showed higher cyber literacy levels than financial leaders
- Business interruption (72%) was a larger concern for companies with an annual turnover of less than £250m, with these companies facing more breaches
- 30% of businesses did not file any claims despite having cyber insurance
Vishaal ‘V8’ Hariprasad, CEO and co-founder of Resilience, said: “Cyber risk has become an undeniable reality for businesses of all sizes, yet our findings highlight a concerning gap in understanding and preparedness, particularly in how leaders assess and manage these risks as financial risks.”
“Traditional approaches are no longer enough, and organisations must embrace a financial lens to improve their cyber business decision making and achieve cyber resilience. By quantifying and modelling potential impacts, investing in effective mitigation strategies, and ensuring return on investment on cyber insurance, business leaders can receive real value in countering cybercrime. Only by bridging these gaps can businesses stay resilient in the face of growing threats.”