Firms split on who handles aftermath of cyber-attacks

MoneyImage copyright

Image caption

Senior staff have different ideas about the costs of breaches, found the research

Large companies are confused about who should be in charge of dealing with the aftermath of cyber-attacks, according to new research.

The study by BAE Systems suggests senior managers expect IT staff to deal with data breaches, but technology bosses feel it should be board members.

The confusion could make firms more vulnerable to attacks, said BAE.

Both camps also had widely different estimates of how much a breach could cost, according to the research.

“Both sides seem to think that its the other’s responsibility when it comes to a successful breach and that reflects a gap in understanding,” said Dr Adrian Nish, head of the cyber-threat intelligence unit at BAE Systems.

The research had responses from 984 IT managers and 221 executives from Fortune 500 companies across the world.

It suggested that 50% of IT staff believed boardroom executives should take the lead when it comes to deciding how a company should respond and repair after it has been penetrated by hackers.

By contrast, more than a third of the chief executives questioned said IT staff should be the ones cleaning up, fixing problems and hardening defences.

Breach costs

The differing views could contribute to the inevitable confusion that follows when firms, both large and small, suffer a breach, said Dr Nish.

“That is definitely a weakness and it will lead to organisations not being prepared for oncoming attacks,” he said.

The two groups also differed when asked about breach costs.

Technology bosses believed that, on average, a breach would cost a company about $19m (£15m).

The estimate included fines, legal fees, remediation expenses and compensation for customers. By contrast, boardroom members put an average price tag of $11.6m (£9.2m) on breaches.

“Any business you’re in, whether it’s media or pharmaceuticals or a charity, your business is involved in tech in some way, shape or form,” said Adam Thilthorpe, director for professionalism at BCS, the chartered institute for IT.

“There are lots of people on the boards who think cybersecurity is not related to being a director of a company.

“How many TalkTalks does it take to realise the buck stops at the top?” he said, referring to a 2015 attack on the telecoms firm.

Oliver Parry, head of corporate governance at the Institute of Directors, said businesses should focus on “preventative measures” to protect against cyber-threats.

“As with other principle risks to a business, responsibility of outlining this strategy should fall with the board.

“Lasting cybersecurity only comes from embedding good practice throughout the culture of an organisation, starting from the top. No system or person alone can prevent indefinitely the threat of a cyber-attack.”