ITCS Blog

1/3 of UK leaders say they’d rather pay a hacker than invest in IT security – is UK plc waiting for the ransom notes?

Like most of Britain’s IT Leaders. IT Specialists ITCS are acutely aware of the importance of robust IT security systems and the threat posed by the growth in cyber-attacks and ransomware.  However, it seems that outside the IT department, business leaders are not giving adequate priority to the business risks they face from IT security threats.

IT Security Risks ‘huge’ as April report shows 350% Increase in Cyber Attacks

The Global Threat Intelligence Report (GTIR) published in April, reported that ransomware attacks surged by 350 per cent in 2017, accounting for 29 per cent of all attacks in EMEA and 7 per cent of malware attacks worldwide.  Victims have included public systems, such as the NHS, which impacted every area of the organization, including patient care.

The NHS response has been to allocate £150m on cyber-security to avoid a repeat of the incident – there is nothing like a headline-grabbing incident to raise the urgency of IT security spending.

‘Ordinary’ businesses face the same security risks as Public Bodies

It isn’t only official Government bodies, but absolutely every business that is at risk from the growing menace of cyber attackers – and it seems that UK business leaders, even in some of the UK’s largest employers are not treating IT security with the priority it deserves.

The 2018 Risk Value Report, published today, sees one third of senior global business decision makers admitting they would rather pay a hacker’s ransom demands than invest more of their hard-won budgets in information security.

ITCS Managing Director Brian Stokes said he was ‘shocked but not surprised’ by these results.  Brian said:

“This report is shocking, seeing as the UK’s top leaders don’t even know how much the ransom is likely to be, or even if they will ever get their data back after paying a ransom. This mindset is sending the wrong message, essentially telling international hackers they have a blank cheque ready – and are sitting waiting for the demands to arrive.  If that’s not scary, I don’t know what is.”

C-Suite leaders are over-confident about IT Security

It seems that outside the IT department, C-Suite leaders and other key decision makers are over-confident when it comes to assessing vulnerability within their own organisation.

Only 41 per cent of UK respondents were confident that their organisation had not been affected by a data breach already, but only 10 per cent of UK business leaders acknowledged that their organization was at risk of a future security breach.

22% of senior leaders ‘don’t know’ if their organization has suffered a security breach already

Nearly a third of senior leaders (31 per cent) believed they were not at risk and do not expect to suffer a breach – while this perhaps shows overconfidence, most worrying of all is that 22 per cent of senior UK business leaders admitted that they were not sure whether their organization had already suffered a breach or not!

Business leaders ‘idealistic’, not ‘realistic’

Kai Grunwitz, Senior VP EMEA, NTT Security, comments:

“Many decision makers within organisations are simply not close enough to the action and are looking at one of the most serious issues within business today with an idealistic rather than realistic view.

“This is reinforced by that worrying statistic that more than a third globally would rather pay a ransom demand than invest in their cybersecurity, especially given the big hike in ransomware detections and headline-grabbing incidents like WannaCry. While it’s encouraging that many organisations are prepared to take a long-term, proactive stance, there are still signs that many are still prepared to take a short-term, reactive approach to security in order to drive down costs.”

The issues that concern UK business leaders

Only 4 per cent of UK leaders identified information security as the single greatest risk to the business.

Notably, 14 per cent identified Brexit as the single greatest business risk facing UK businesses, but  competitors taking market share (24 per cent) and budget cuts (18 per cent) were the biggest concerns – it seems that most business leaders fail to appreciate the risks posed by poor IT Security and the impact a breach could have on the business.

UK Leaders under-estimating costs of an IT Security breach

The report also shows that UK executives are estimating lower costs than their international colleagues should a breach occur.  While global estimates predict costs to be USD1.52m, UK executives estimate their recovery costs would be on average USD1.33m.

UK Leaders under-estimate time to recover from a breach

UK executives also show far more confidence than their international colleagues when it comes to predicting recovery times.

Globally, respondents anticipate it would take 57 days to recover from a breach, whereas in the UK, decision makers predict it would take just 47 days to recover, one of the lowest estimates for any country.

IT Security is not ‘just an IT issue’

Brian Stokes, Managing Director of ITCS, said:

“This survey proves what we’ve been saying for some time, that over-confidence in IT Security is widespread and in most cases this level of confidence is not justified among UK business leaders.   Attacks have the potential to disrupt an entire business so the threat needs to be discussed at board level – in every business, not just within IT businesses.

“GDPR sent UK plc into a panic, but IT Security spending is just as important to address – and also critically important to GDPR.  If these figures are correct, then we have way too many senior executives who are under-prepared, over-confident it will not happen to them, and happy to run the risk and pay an unquantified price if a breach occurs.   Their employees, customers and shareholders deserve better, I encourage them to act now.”

 

Business leaders who have any questions about IT Security can contact ITCS by telephone on 08456 444 200 or by visiting their website: https://www.itcs.co.uk

Web1/3 of UK leaders say they’d rather pay a hacker than invest in IT security – is UK plc waiting for the ransom notes?