One in three middle market businesses don’t understand cyber threat, survey says

25 May 2022

A third of middle market businesses* (33 per cent) have admitted their board does not understand the cyber threat landscape enough to accurately assess their level of risk. Leading audit tax and consulting firm RSM UK’s ‘The Real Economy’ report also highlighted that a third (33 per cent) of the 415 businesses surveyed had experienced difficulties recruiting cyber security experts with the right skills and experience to help safeguard against cyber threats.

Sheila Pancholi, Technology Risk Assurance Partner, RSM UK said: ‘The research is concerning, and suggests that in the current climate of increased risk, boards need to be much more attuned to the threats posed by the Russia-Ukraine conflict, volatile financial markets, speed of technology transformation and increased home working. In order to fully protect themselves, boards need to ensure they receive the right information from their IT teams or suppliers and encourage a culture of trust, openness and vigilance throughout the business.’

The Real Economy report also identified that, despite cyber crime increasing by 100 per cent since the pandemic,** a quarter of businesses have not considered cyber insurance, leaving themselves exposed to potential financial and operational loss and reputational damage. Over a third of businesses (35 per cent) say this is because they don’t understand what cyber insurance should cover.

Of the 62 per cent of businesses that do have a cyber insurance policy in place, understanding of what the policy covers them for has declined over the past year, with only a quarter (25 per cent) saying they are ‘very familiar’ with what’s covered, compared to 40 per cent in 2021.

The research also found confidence in current measures to safeguard sensitive customer data has dropped, from almost half of middle market businesses (47 per cent) feeling ‘very confident’ in 2021 to just over a third (35 per cent) feeling ‘very confident’ this year. This loss of confidence is justified, as the increase in ransomware attacks demonstrates cybercriminals are focusing efforts on ringfencing data that is key to an organisation’s continued operation.

Increasing security protocols remains the top action taken to enhance IT and data security in response to widely publicised data breaches (47 per cent), followed by updating privacy policies (42 per cent) and engaging data security consultants (41 per cent). Only 4 per cent of businesses failed to take any action in response to high profile cases of data breaches reported in the media.

Sheila Pancholi concludes: ‘It’s essential that board members educate themselves and their workforce about the increased risks and how to mitigate these in a continually evolving cyber threat landscape. With cyber-crime now occurring on an industrial scale across all sectors, no business can afford to ignore it. Every business should have a cyber incident response plan in place. Cyber security should be central to every business’s strategic and operational risk management process.’

Actions taken to enhance data security
1) Updated security protocols 47%
2) Updated privacy policies 42%
3) Engaged data security consultants 41%
4) Recruited data security staff 40%
5) Enhanced the security of existing remote workforce solutions 38%
6) Enhanced staff training/education efforts 33%
7) Developed new remote workforce solutions 33%
8) Purchased new or upgraded hardware 29%
9) Purchased new or upgraded software 27%
10) No action taken 4%

Note: percentages based on those who responded ‘yes’ to individual actions

*The research was carried out by The Harris Poll for RSM. 415 senior executives from UK middle market businesses, defined as companies with a turnover between £10m and £750m, or financial institutions with assets under management of £200m to £7.5bn, were surveyed for the research.

Data for this survey was collected between 10 January and 31 January 2022. Information was collected online or via telephone from 415 executives meeting the set criteria. All individuals qualified as executive level decision makers working across all regions and a broad range of industries. Responses have been weighted to ensure a true representation of the UK economy. 
Chart percentages may not equal 100 per cent due to rounding.

**Source: ICO (Information Commissioner’s Office).