Cyber Security: Protecting your business survey stats Researched and authorised by Pitmans LLP in partnership with techuk. Report prepared in January 2014 by Philip James, Partner and Rob Jarrett, Solicitor. Copyright Pitmans LLP 2014. All rights reserved. www.pitmans.com
Disclaimer Please note that whilst every effort has been made to ensure this report is accurate and error free, it is based on the responses received to our survey and may only represent a small cross section of businesses. As such, this report may contain errors and it should not be relied upon or used for any commercial reason without Pitmans prior approval.
Contents Executive Summary p3 Part I Summary Report p5 Part II Cyber Security p8 Part III Bring your Own Device (BYOD) p16 Part IV Remote Working p18 Part V Insurance p20 Part VI Social Media p23 Commentary by techuk p25 Key Contacts p27 Pitmans LLP 47 Castle Street Reading Berkshire, RG1 7SR 1 Crown Court 66 Cheapside London, EC2V 6LR 2
Executive Summary The vast majority of respondents (over 85%) feel that cyber security is a concern for their business. Over 70% of respondents feel that cyber security is a high priority for senior management with more than 50% of businesses having C-suite level responsibility for cyber security policies and capabilities. Businesses feel their main cyber security threat is anything that disrupts business as usual, including hacking, viruses, malware, loss of data and unauthorised access to data, files and company information. Over two thirds of companies undertake cyber security risk assessments with firms in the Thames Valley more pro-actively than those nationally. Over 70% of Managing Directors are unsure as to how their businesses would tackle further cyber breaches. In addition, only were confident to very confident in their ability to manage a cyber-attack. periodically test their crisis management and emergency response strategies, of which just over half (53%) have implemented related policies and procedures. 3
The majority of businesses can work remotely (over 90%) although their biggest concern is data and system security. Most businesses (81%) have minimum security requirements for remote working. Although many companies see cyber security as a concern, very few have insurance in place to deal with cyber breaches with only 7% investing in stand-alone cyber security insurance. A significant number of respondents were unaware of their company s cyber risk insurance, previous breaches or their potential future response to an online attack. Only 13% of businesses require their third party suppliers to have specific cyber insurance. 75% of businesses allow use of social media at work with two thirds aware of a specific policy for staff. Only one third of companies monitor use of social media or have policies in place to prevent defamatory statements being posted by staff. 4
Part 1: Summary Report Pitmans LLP reviewed their annual survey to assess the changing business conditions, primarily in respect of cyber security in the UK between 2012 and 2013 to which over 200 business leaders participated. This report summarises their responses and is valid to 23 December 2013. Respondents by geographical split: The survey was completed by an even split of Thames Valley based and non-thames Valley based businesses and is therefore representative of a wide variety of industry sectors. Unless otherwise stated, results mentioned include those from all survey respondents. Thames Valley based respondents: 47% (2013) n-thames Valley based respondents: 53% (2013) Geographical split of respondents by sector: Finance Technology & Telecoms Accountancy Business Consultancy Property Automotive Hospitality Insurance Construction & Engineering Marketing Sport/Leisure Energy Legal Pharma Banking Other Charity Public Sector Healthcare Recruitment Retail Transport 10% 30% 5
Respondents by company turnover: 50% 30% 10% Less than 25m 25m 100m From those who disclosed their turnover (94%), it is clear that the respondents to the survey represented companies of a variety of sizes, with 30% of respondents representing companies whose revenue was more than 100m. Respondents by job title: More than 100m MD/CEO/Chairman Director Finance Partner Marketing & BD Legal Human Resources Manager Other % 5 10 15 20 25 11% of survey respondents were Managing Directors or CEOs. 21% were Directors. 34% were senior management or above. Those in a Financial role made up a further 6% of respondents. The remaining 66% of survey respondents comprised of HR, Finance, Legal, Marketing & BD and other management level positions. 30 6
Respondents by number of employees: 50% 30% 10% 1 10 11 50 51 100 101 250 More than 250 Over half of respondents represented companies employing more than 250 employees. These respondents accounted for 51%. 35% of those participating in the survey represented SMEs (more than 10 but less than 250 staff). Micro (less than 10 employees) firms participated. 7
Part 2: Cyber Security Is cyber security a concern for your company? 87% of survey respondents agreed cyber security was a concern for their company. Of those confirming that cyber security was a concern for their business, respondents were evenly spread across the country. Does your company consider cyber security an IT department issue or a senior management issue? 100% 80% IT Department Senior Management 70% of survey respondents stated their company viewed cyber security as a senior management issue. 30% of survey respondents stated their company viewed cyber security as an IT department issue. Despite location, survey respondents felt cyber security was a senior management issue. 8
How high a priority is cyber security to senior management? 50% 30% 10% Very high High Low t a priority 39% of survey respondents stated that cyber security was a very high priority; of which 43% of Managing Directors who took part in the survey agreed. 15% of survey respondents felt cyber security was a low priority to senior management, with 3% considering cyber security no priority at all to senior management. All MDs and FDs considered cyber security to be a high to very high priority for their business. Is there an individual at board level who has responsibility for your company s cyber security policies and capabilities? 9 of respondents confirmed that their firm has an individual at board level responsible for their company s cyber security policies and capabilities. 28% of survey respondents stated their company had no individual at board level who took responsibility for cyber security. Only 12% of respondents stated unknown, highlighting that most staff are aware that their company has an individual that is responsible for its cyber security policies.
Does your company have a specific budget to address cyber security? 23% of survey respondents stated their company has a specific budget to address cyber security. However, more than 50% stated their company didn t account for cyber security in its budget. Does your company ensure employees are aware of cyber security of your company s data and IT infrastructure? 100% 80% 70% of survey respondents confirm their company ensures employees are aware of cyber security, whereas 30% of companies don t. Many companies ensure their employees are kept aware of cyber security through policies and staff training. Internal communication is also a key component in keeping staff up to date with cyber security. 10
What do you perceive to be the main threats to the security of your company s data and IT infrastructure? The main threat to survey respondents was anything that disrupted business as usual, this included: Hacking Viruses Malware Loss of data Unauthorised access to data, files and company information A small number of survey respondents felt their security could be at threat through improper use of their company s IT by an employee. Of survey respondents, a significant number of Managing Directors felt viruses and hacking were the main threats to the security of their company s data and IT infrastructure. If your company has cyber security policies and/or systems to identify cyber security breaches; do you consider these sufficient to protect your business? t applicable 65% of survey respondents felt they had sufficient systems in place to protect their business, whereas 15% felt their systems were inappropriate to prevent breaches occurring. of survey respondents had no cyber security policies or systems in place to identify cyber security breaches. 92% of Managing Directors consider their cyber security policies and systems sufficient to protect their business. 11
Does your company carry out cyber security risk assessments? 66% of survey respondents carry out cyber security risk assessments, compared to 34% of survey respondents who do not. If yes, are these risk assessments managed internally or externally? 100% 80% Internally Externally 27% of survey respondents manage cyber security risks assessments externally. 73% of respondents manage cyber security risks assessments internally. 12
Does your company have crisis management/ emergency response strategies in place should a cyber breach occur? 100% 80% 53% of survey respondents confirmed they had a response strategy in place should a cyber breach occur. 30% of respondents stated their business had no emergency response in place should a cyber breach occur. Does your company periodically test its crisis management/emergency response strategies? Only 38% of businesses periodically test their crisis management/emergency response strategies. of survey respondents stated that they did not periodically test their crisis management/ emergency response strategies and 22% of survey respondents were unaware if they had response strategies. 54% of Managing Directors that contributed to the survey confirmed their company tested their response strategies. 13
How confident are you in your company s crisis management/emergency response abilities should a cyber breach occur? 100% 80% Very confident Confident Over half of survey respondents felt confident in their company s abilities to deal with a cyber breach. 26% of survey respondents were not confident in their company s crisis management/ emergency response abilities. 38% of Managing Directors are very confident in their abilities to respond should a breach occur. Has your company suffered a cyber security breach? t confident 13% of survey respondents stated they have suffered a cyber security breach. More than half of survey respondents stated they have not experienced a cyber security breach. 38% of respondents felt that company failed to effectively deal with the breach. 47% of respondents perceived that their company dealt well to very well with the breach. 14
Would your company take a different approach were it to suffer a further breach? 100% 80% 24% of survey respondents would take a different approach if they were to suffer a further breach. 17% of survey respondents were satisfied with their approach. Of survey respondents, an overwhelming 59% were unsure whether they would take a different approach if they were to suffer a further breach. 66% of Managing Directors are unaware of whether their company would take a different approach for future breaches. 15
Part 3: Bring Your Own Device Does your company allow use of personal devices for work purposes? 100% 80% 58% of companies allow of use personal devices for work purposes. Do you know what proportion of your staff use a personal device for company work? 45% of respondents confirmed they know what proportion of their staff use a personal device for company work. Of these, 21% stated that all of their staff use a personal device for work purposes. Only 22% stated that less than a quarter use a personal device for company work. 4% of survey respondents stated half of their employees use a personal device for company work. 16
Does your company have a BYOD policy governing use of devices? 43% of survey respondents were aware of BYOD policy governing use of devices, whereas 36% of survey respondents stated their company does not have a BYOD policy. 21% of survey respondents were unaware whether their company had a BYOD policy governing use of devices. What restrictions on access/storage are in place? Unlimited access for devices Access only to non-sensitive systems and data Access but with IT control over devices, apps and stored data Access, but no local storage of data on devices Other 34% of survey respondents stated they had access but with IT control over devices, apps and stored data. of respondents confirmed that they have access but with no local storage of data on devices. of respondents have access only to nonsensitive systems and data. 19% of respondents stated they have unlimited access for devices. 17
Part 4: Remote Working Does your company allow remote working? Over 90% of all survey respondents confirmed their companies allowed remote working, regardless of their location. What is your company s biggest concern in relation to remote working? Data/system security Employee supervision Employee productivity Employee welfare (i.e. loneliness /isolation) Other The main concern for survey respondents is data and system security () when working remotely. of Managing Directors concurred with this. 29% of survey respondents felt employee productivity was a concern in relation to working remotely. Only 17% felt that employee welfare was a concern. 18
Does your company have minimum security requirements for remote working i.e. virus protection software? 81% of respondents confirmed their companies have minimum security requirements to support remote working. 12% stated they do not have the minimum security requirements for remote working. Only 7% of survey respondents stated they were unsure whether their company has minimum levels of security in place. 19
Part 5: Insurance Does your company have cyber insurance (either as part of a general policy or a specific, separate cyber policy)? 100% 80% Almost half (49%) of survey respondents stated they did not know if their company had cyber insurance. 16% confirmed that their company does have cyber insurance. 35% of survey respondents stated their company do not have cyber insurance. 69% of Managing Directors that took part in this survey were unsure whether their company had cyber insurance. Only 8% of MDs were aware if their company had appropriate insurance to cover cyber threats. 20
If so, is this insurance included as part of a general traditional policy or is it part of a separate, stand-alone cyber insurance policy? 100% 80% Part of general insurance Stand-alone cyber insurance For those who confirmed they had insurance, 36% of survey respondents said they had cyber insurance as part of their general insurance. Only 7% had independent cyber Insurance. What is the minimum cover of your stand-alone cyber insurance cover? Between 1m and 5m Between 5m and 10m 80% of survey respondents were unaware of the minimum cover of the stand-alone cyber insurance cover. 16% of respondents said the minimum cover of their stand-alone cyber insurance cover was between 1 million and 5 million. Only 4% have minimum cover between 5 million and 10 million. 21
Does your stand-alone cyber insurance cover third party suppliers? 100% 80% 89% of survey respondents were unaware whether their company s stand-alone cyber insurance covered third party suppliers. Only 2% of survey respondents confirmed their stand-alone cyber insurance covered third party suppliers. 9% of respondents confirm their stand-alone cyber insurance cover third party suppliers. Do you require your key suppliers to have specific cyber insurance? Almost half of all respondents (49%) were unaware if having specific cyber insurance was a requirement for their key suppliers. 38% do not require key suppliers to have specific cyber insurance. 13% of respondents felt it necessary for their key supplier to have appropriate cyber insurance. 22
Part 6: Social Media Does your company allow employees to use social media at work for personal and/or work purposes? 100% 80% 75% of respondents confirmed their companies allowed them to use social media at work for personal and work purposes, whereas 25% do not. Does your company have a social media policy governing acceptable use and compliance with law? 64% of survey respondents confirmed their company has a social media policy governing acceptable use of social media which is in compliance with the law. 28% of survey respondents confirmed their company does not have a social media policy. 23
Does your company monitor employees use of social media? 100% 80% 48% of survey respondents confirmed their company does not monitor employees use of social media, whereas 33% of companies do. 19% of respondents were unaware whether their company monitor their use of social media. Does your company have a reputation management strategy should an employee post something defamatory/offensive? 43% of survey respondents said their companies do not have a reputation management strategy. 35% of respondents confirmed they have a strategy should an employee post something defamatory or offensive. 24
Commentary by techuk It is no wonder that so many companies said cyber security was a concern for them. The potential cost of an attack can be very high for businesses, Government estimates the average costs of a breach to a small or medium business was 35-65k in 2013 rising to up to 850,000 for larger enterprises. Damage goes wider than the cost of response time and business disruption: theft of IP, loss of data, business and reputation can all take much longer to rebuild at a much greater cost. Conversely, companies can capitalise on strong cyber security and cyber risk management, turning it into a competitive advantage. Knowing your data assets, for example, enables you to fully exploit them whilst having a strong reputation for keeping customer data secure can build confidence and business. Businesses understand that they are at risk from cyber attack but employees are not always aware where the risk lies. Recent research by techuk and Symantec found that 71% of respondents thought the IT department was at risk from cyber attack but only 31% thought the HR department was a target and 34% the sales department. However, targeted attacks against employees working in sales and with confidential information surged by 42% in the last year. Successful mitigation of cyber risk will require everyone to take responsibility for it. 25
The enterprise is expanding as companies adopt cloud solutions and increasing numbers of employees work on mobile devices including personal ones. The proportion of companies letting employees use their own devices rose from 63% to 80% in the last year whilst up to a quarter of IT spending by 2015 will be on service-enabled software. This new landscape will present challenges in securing the enterprise, McAfee for example observed a 33% rise in the volume of malware aimed at the android platform last year whilst growth in malware targeting PCs remained flat. Nearly of respondents to this survey said their company allowed employees to use personal devices but they were not aware of any policies governing use. CIOs will need to work quickly to overcome new security challenges if they are to derive maximum benefit from the new technology landscape. Ruth Davis Head of Cyber, Justice and Emergency Services techuk Comments from CBI Cyber attacks are now in the same league as other mainstream business risks and should be taken seriously in boardrooms across the UK. The good news is that more businesses are becoming aware of the threat, but the findings suggest a complacency amongst businesses that will need to change as more and more businesses operate across borders and head online. Part of the answer is in collaboration, with more businesses working with other firms, and with government, to provide safe, flexible ways of sharing information on cyber attacks and the solutions to overcome and mitigate the risk. Steve Rankin Regional Director CBI 26
Pitmans Cyber Risk Management Team Philip James Partner T: 0207 634 4655 E: pjames@pitmans.com Tim Clark Partner T: 0118 957 0264 E: tclark@pitmans.com William Richmond-Coggan Partner T: 0118 957 0369 E: wrcoggan@pitmans.com Philip Smith Director T: 0118 957 0462 E: psmith@pitmans.com Richard Devall Partner T: 0118 957 0602 E: rdevall@pitmans.com Mark Symons Partner T: 0118 957 0340 E: msymons@pitmans.com Rob Jarrett Solicitor T: 0207 634 4618 E: rjarrett@pitmans.com 25 e: poppy@pitmans.com t: 0118 958 0224 www.pitmans.com