By Matthew Broersma
The UK’s telecoms and utilities sectors are “significantly exposed” to the risk of cyber-attacks compared with other industries, in the wake of high-profile hacking incidents, such as the TalkTalk breach.
This is according to a new study incorporating analysis by the Centre for Economic and Business Research (Cebr).
The study, commissioned by Montreal-based business services firm CGI Group, found that the risk to telecoms and utilities companies is greater than that to the other sectors considered—including banking, insurance and retail—due to the fact that the data they hold is considered valuable, while preparedness for hacking incidents trails that of organizations in other industries.
Cebr’s analysis found that the telecoms sector was most at risk, followed closely by utilities.
Only 29 percent of the boards of telecoms companies had a high degree of expertise on IT security issues, according to board-member executives surveyed for the study—the lowest level of expertise of all the sectors studied.
Meanwhile, the sector holds sensitive data that respondents estimated had a value to the company, on average, of £42 million, CGI said.
Telecoms companies were the least confident about the risk of cyber-attack in the coming year, with 52 percent expecting a significant breach in the next 12 months.
Companies in the sector recognize the urgency of the situation, with 76 percent planning to increase their use of external cyber-experts and IT security spending planned to increase by an average of 12 percent this year, compared to 7 percent in areas such as retail and insurance, although less than sectors such as banking and utilities, the study found.
In the utilities sector, boards were found to discuss IT security less often than in any other sector, with 40 percent of firms touching on the issue only twice a year, CGI said.
IT Disaster Planning
Utilities companies estimated their data was worth an average of more than £50m to the company, but only one in five said they had a well-developed IT crisis management plan.
“This is surprising given that utilities firms have high resilience with good business continuity planning, perhaps showing a lack of maturity in the treatment of cyber security as a major business risk,” CGI said in a statement.
Utilities firms recognized the need for additional investment in IT security, planning on average to increase spending in the area by 14 percent this year, the second highest level after the banking sector, and more than 70 percent of utilities boards said they were planning to rely on external consultants to aid in building IT security plans over the next few years.
Overall, British companies know IT security is an issue, but are finding it difficult to know how to approach the problem, CGI said.
“Boards know it is a risk but are uncertain in their approach, often failing to prioritize spend on cyber security,” said Andrew Rogoyski, CGI’s head of cyber security, in a statement. “Unless more is done to improve understanding and governance at the highest level we can expect to see more high profile breaches.”
Breach Likely
Companies’ boards are, however, generally planning to increase scrutiny of the matter, and are increasing investment and reliance on external experts, Rogoyski said.
Overall, 38 percent of respondents said they believe a cyber-security breach at their organization is likely in the next 12 months, with respondents estimating that if their most data were lost or corrupted it would cost the company on average about £1.2m over a one-year period.
British companies currently aren’t taking IT security seriously enough, CGI argued, with only 35 percent of respondents saying they think their board has a high level of expertise in the area and less than half saying they’re confident in the IT security advice they’re currently receiving.
On average, 68 percent said they plan to increase their reliance on external experts in the next few years.
The study is based on a survey in December and January of 150 executive-level board members at British companies with a minimum of 1,000 employees, and was carried out by Opinium in partnership with Cebr.