New research finds corporates underestimate the likelihood and potential impact of a cyber attack

Cyber keyboard

Cyber risk is rising to the top of the boardroom agenda, but many European businesses still underestimate the likelihood and potential impact of a cyber event, new research from Lloyd’s has shown.

Lloyd’s survey of nearly 350 senior business decision makers from across Europe found that 54% of CEOs take responsibility for cyber security, only 13% believe they will lose trade in the event of a cyber-attack. Whilst 92% of businesses had experienced some form of cyber breach in the last five years, only 42% are worried that another incident will happen in the future.

Lloyd’s chief executive, Inga Beale, commented: “It is reassuring that responsibility for cyber risk is sitting at the most senior level of businesses, but it is clear that too many firms do not believe that the dangers of a breach will severely impact them. I’m afraid we no longer live in a world where you can prevent breaches taking place, instead it is about how you manage them and what measures you have in place to protect your business and importantly, your customers. As recent events have shown, hard-earned reputations can be lost in a flash if you do not have the correct plans in place.”

More than half (57%) of respondents also admitted not fully understanding the potential implications of the EU General Data Protection Regulation (GDPR) on their company. Under the regulation, organisations handling EU citizens’ data will be required to report breaches within 72 hours and will face potential fines of up to €20m for failing to secure data.

Although 97% indicated that they had heard of the GDPR, only 7% report knowing “a great deal” about it. With regards to GDPR implications, business leaders are most aware of regulatory investigation (64%), financial penalties (58%), impact on share price (57%) and reputation (52%). Only 14% of businesses believe they could lose customers in the event of a breach.

The top internal threats identified as being able to result in a data breach were physical loss of paper or non-electronic devices (42%), an insider intentionally breaching information (42%), human error or unintended disclosure (41%), and lost, stolen or discarded equipment (41%).

For external threats, these were hacking for financial gain (51%), hacking for political motivations (46%), hacking by competitor (41%), phishing (39%), ransomware (37%) and malware (32%).