To ensure boards are fully prepared to face the consequences of a cyberattack, the report recommends six key areas to focus on:
- Establishing a cyber-incident response plan
- Regularly rehearsing the response plan using a range of different scenarios
- Monitoring and managing the risk posed from their supply chain
- Ensuring they understand the terms of their insurance and what is covered
- Understanding what 'normal' looks like for their business, in terms of application usage, so they can identify any unfamiliar patterns
- Investing in regular training and raising their people's awareness of cybersecurity
Cyberattacks and data breaches have cost UK mid-market companies over £30 billion, yet organisations remain complacent about their cybersecurity capabilities – putting them at greater risk from hackers and cybercrime.
Business and financial adviser Grant Thornton surveyed hundreds of mid-market organisations – those with £15m and £1bn per year – and found that despite the threat posed by cyberattacks, boards aren't effectively prepared to manage the risks.
Of those companies surveyed for Grant Thornton's Cybersecurity: the Board Report, over half of companies (53%) reported losses of between 3% and 10% following a cyberattack or data breach. But the losses can also be much worse: 6% of businesses consulted in the report said they lost between 11% and 25% of revenue as the result of an incident.
But even though organisations are aware of the damage that can be done as the result of a cyberattack, almost two thirds (63%) of companies don't have a board member with a specific responsibility for cybersecurity.
The same number said the board doesn't formally review cybersecurity risks and their management, while over half of businesses surveyed (59%) say they don't have an incident response plan in place for cyberattacks.
Additionally, just one in three companies (36%) provided cybersecurity awareness training to all of their employees in the last year.
But despite this, almost 70% of those surveyed said they felt confident in their ability to respond to a cyberattack, suggesting a potential misplaced confidence in how they can deal with incidents.
"Whatever your sector, whatever type of business you are, assume that you are being targeted all the time. With the levels of volume cybercrime we are seeing now, you almost certainly are," said James Arthur, partner and head of cyber consulting at Grant Thornton.
In order to fully protect against attacks, organisations must ensure that cybersecurity is seen as an important issue throughout the organisation – from the board, all the way down.
"While commitment from the top is vital, ensuring your people are properly trained is also essential. Often, companies make themselves vulnerable to attack simply by failing to get the basics right. Training to raise employee awareness can have a hugely positive impact on cybersecurity," said Thornton.
"Effective cybersecurity does not need to cost the earth and goes beyond simply investing in new technology. There are simple, specific steps companies can take, such as implementing a meaningful cyber-response plan and understanding what is 'normal' for their business, to put themselves in a much stronger position," said Arthur.