Insurance failing to cover cyber breaches
Written by staff reporter
Senior executives say that critical data is not being protected, a new report from information security and risk management company, NTT Com Security, shows. The report, designed to assess the level of risk within large organisations and the value that senior people place on data security, reveals that the majority (56%) of respondents in the UK agree they are likely to suffer a security breach at some point – which rises to 63% on average globally.
Nearly three-quarters (72%) believe it is vital that their organisation is insured for data security breaches, but only half (54%) admit their company insurance currently covers the financial impact of both data loss and a security breach.
Garry Sidaway, a senior vice-president at NTT Com Security, says: “The results provide some real insight into the minds of non-IT executives about the value they place on the data in their business and whether they feel this data is at risk. The report shows a kind of ‘security maturity’ scale developing among businesses who value their data, but do not always recognise the risks to critical information. When asked what they associate with the term data security, only half say it is as ‘vital’, while less than a quarter see it as ‘a business enabler’.
“Unfortunately, security at the board level still tends be associated with data protection and compliance, when in fact securing data properly is absolutely critical to enabling businesses to thrive and survive.There’s also a growing disconnect between the cost of breaches and the importance that organisations place on IT security to drive these costs down.”
UK executives are also underestimating the impact of a security breach. Almost a fifth (19%) think there would be no significant impact on their revenue, while 28% admit they do not know what the financial implications would be.On average, however, UK companies estimate a drop in revenue of 7%. A quarter (24%) say it would take between one and three months to recover, with five months being the average in both the UK and across all eight countries.
Report: key findings
Data policies in the business
·A quarter of UK executives do not know how much of their IT budget is spent on data security – the highest of any country polled
·Over half (52%) think data security is expensive, and 21% associate it with being disruptive.
·Just 6% see poor data security as the single greatest risk to their business, the lowest for all countries, except Australia – and well below the average of 9% across all eight countries.
·Less than half (49%) of UK respondents report that all critical data is ‘completely secure’ compared to 66% in the US and 54% in Australia. Hong Kong ranked lowest with just 29%.
·A third (34%) of UK executives rank consumer customer data as the most important data they need to protect, with business customer data 2nd (33%), and employee data 3rd (27%).
·Less than half (49%) think all their consumer and business customer data is completely secure.
Impact of a data security breach
·Just over half (54%) say their company insurance covers the financial impact of data loss or a security breach, higher than the average (48%) but lower than the US (71%) and Australia (57%).
·Over a third (38%) do not know what their company insurance covers in the event of a security breach or data loss – the highest percentage for any country except France (45%).
·67% of UK companies have a business or disaster recovery plan in place in the event of a breach.
Personal knowledge and behaviour
·Only half (52%) of executives agree they are kept fully up to date by their IT security team about data attacks and potential threats – below the global average (59%) and one of the lowest figures for all eight countries polled.
·Nearly half (48%) of UK business decision makers depend upon their IT security team to allow them to use and access work-related data safely whatever device they are using, but a third (34%) see it as a joint responsibility between themselves and the security team.
·A fifth admit to using personal devices not approved by IT security for work purposes.