Our latest Risk:Value report is here, and it seems that attitudes towards cybersecurity risk are changing. Around a fifth of UK business decision makers questioned now see information security as the single greatest risk to their organisation, which is up from less than 10% in 2014. This shift in attitude maybe fuelled in part by the high profile breaches, and underlines the importance of robust policies and procedures.

It’s really encouraging to see that the majority of UK businesses now have or are working to have a formal IT security policy in place, though it appears companies still require help in implementing these – given that a lack of compliance and incident response planning are cited as reasons that any relevant insurances could be invalidated.

The financial significance of a security breach is also greater than our last survey – those questioned anticipate that revenue would fall by 13% compared with 8% last time we polled in 2014.

However, there still seems to be a trend to treat the consequences rather than the causes. Almost two-thirds expect to be breached and anticipate it will take about 8 weeks to recover, potentially costing in excess of £1m. Whilst it is important to make a provision for recovery should the worst happen, it is also important to take a balanced approach.

Prevention is still better than cure and, although cyber-attacks are becoming more sophisticated, our findings from an earlier report show that they do not need to be successful to succeed. As a result, getting the basics right is hugely important in order to reduce the frequency and impacts of potential breaches. A well rounded approach to risk management requires both proactive and reactive abilities, along with a well communicated plan.

It’s really encouraging to see that the majority of businesses now have or are working to have a formal IT security policy in place, although it appears companies still require help in implementing these. Lack of compliance and incident response planning are cited as reasons that any relevant insurances could be invalidated, suggesting there are perhaps still gaps in the execution of policies – maybe as a result of a skills shortage in key areas.

It is clear from the Risk:Value findings that cybersecurity risk is on the radar, and many business decision makers recognise the consequences of failing to act. This must now translate into appropriate investment to put support a well rounded and robust risk management plan. This doesn’t simply mean increasing spend as that won’t necessarily address the problem. Instead, it means businesses must understand their risks, prioritise their areas of focus and allocate the appropriate resources to address the gaps in their cybersecurity policies.