UK Businesses Are 'Uncertain And Ill-Informed' About Their New Financial Exposures

Survey provides insight into dangerously low level of senior management awareness of risks from use of new technology.

A survey conducted by MORI, sponsored by leading digital risk insurance specialists Safeonline, has revealed widespread 'uncertainty and naivety' about the risks posed by the use of new technology within businesses (i.e. risks as a result of the use of computers, Email and the Internet).

The report, which focuses on a representative cross-section of UK small, medium / large corporates and dot coms, discovers that:

• Risk awareness is dangerously low - only 24% of medium / large organisations and 18% of small companies spontaneously mention any risks
• Small businesses find it hardest to understand exposures - almost 1 in 4 small businesses say they just 'don't know' how their company manages these risks
• Medium / large businesses alarmingly complacent - over half believe that 'most risks' are covered BUT when asked, well over half don't in fact have sufficient measures in place
• Dot coms most able to identify potential risks - 63% of dotcoms spontaneously mention at least one type of risk they face from their company's use of technology
• Employee training, not computer security, most popular risk mitigation method for medium / large organisations - almost 4 out of 5 train their staff to use technology safely
• IT Manager's security advice is not trusted - 60% of UK small businesses do not trust their own IT specialists to protect them effectively against technology risks
• Employees are considered weakest link - almost half of UK businesses believe that the errors of their employees are the most likely source of damage to their computer systems

Commenting on the research, Keith Carby, Chairman for Safeonline, says:

"The purpose of this survey is to understand how aware UK businesses are about their technology-related risks. The first step towards protecting your company's assets is to understand where you are exposed. The fact that businesses find it hard to identify exposures means that the majority are risking unnecessary financial loss."

MORI's findings are revealed at a time when concerns about computer-based risk are at an all time high. High profile cases such as the hacking of credit card details of world leaders like Bill Gates and Yassir Arafat at the World Economic Forum in Switzerland has raised awareness of disaster cases. However, the low level of risk awareness within in traditional bricks and mortar companies indicates there is a perception that only dot coms are at risk from technology use.

"Every business who uses computers, Email or the Internet is exposed," continues Carby, "On the upside - it's very easy for any business to take the required steps to protect themselves. It's just basic risk management - know your exposures, take steps to mitigate them, and then insure."

Key findings:

Risk Awareness

• Small businesses least able to identify exposures - when prompted there was a significant increase of awareness of risks small companies (69% rather than 18%) and among medium / large companies (72% rather than 24%).

"This gap between the spontaneous and prompted mentioning of exposures indicates that small and medium / large businesses believe that they're not at risk, and it's not until they are encouraged to actively think about where their exposures lie, that they realise this. Their naivety then very quickly moves to deep concern once they identify the gaping hole in their organisation's risk management planning." says Nicky Perrott, Head of MORI Technology who ran the research on behalf of Safeonline.

• Human sources (error or malice) are the most feared risks - the key perceived risk across all audiences (prompted) is damage to computer systems or Web site as a result of an unintentional error by an employee (dotcoms 40%, medium / large companies 47% and small 44%). The next highest key risk cited by small companies was damage to computer systems or Web site as a result of unauthorised access (ie hacking).

"It is no wonder that businesses worry about the damage to their computer systems. A business's information is its most important asset - anything that jeopardises the availability, integrity or confidentiality of that data is a realistic threat to the longer term future of that organisation," says Perrott.

• Dot coms perceived key risks differs - these are losses as a result of a denial of service attack, Trojan horse, malicious code (35%) and economic loss as a result of having to stop trading until a Web site or other technical problem is fixed (33%)

Scale of the potential damage

• Medium and large companies are most worried about damage to their reputation
• Small companies are most worried about impact on operations and financial loss
• Dot coms are most worried about their operations and reputation

"Dotcoms are more vulnerable because they are 100% dependent on the online channel for trading and revenue. So it is not surprising that dotcoms have a greater awareness and acceptance of the consequences of risks of online trading activity. Only 7% of dotcoms consider that the risks associated with trading online would have 'no impact' on their company," said Nicky.

• 'No impact' say 1 in 5 medium / large and nearly 1 in 3 small companies - companies are not saying that damage to their computer systems or Web site would have 'no impact' because they have procedures and contingency plans in place. It would appear they are responding this way because they do not appreciate the risks involved.

Risk Mitigation

Mitigation includes the use of employee training, policies, procedures and IT security software / solutions to minimise exposures.

• Dotcoms more proactive in managing risks - only 2% of dotcoms do not have any procedures in place
• 1 in 4 small companies and 1 in 10 medium / large 'don't know' if they are managing the risks of new technology
• Staff training main mitigation technique for medium / large companies - nearly 4 in 5 train staff to use technology safely. In small companies the main mitigation tool is anti-virus software which is used by over half
• Only 35% of small companies think 'most risks' are covered - only 3% think 'all' are covered
• 1 in 8 small companies think they are mitigating 'none of the risks' compared with 6% among medium / large organisations

"Half of medium / large organisations are dangerously complacent and think that 'most risks' are covered, although many do not have sufficient measures in place nor do they have contingency plans. Less than half have measures in place such as firewalls and less than half have any contingency plans. It would appear that their over-confidence is based upon naivety, " said Nicky Perrott.

Risk Transfer - insurance

Risk transfer is moving the residual risk from the balance sheet, via appropriate insurance.

• Only 25% of small businesses are insured against their main risk - losses as a result of business interruption
• Large proportions 'not interested' in insuring - this is probably because they are unaware of the need to insure, or wrongly assume that traditional insurance policies cover them

Trusted Advisors

Who do businesses trust to give them advice about their technology-related risks?

• Insurance brokers are most trusted source - for advice about both risk mitigation AND insurance
• IT security firms are highly trusted
• Small companies do not trust their own IT specialists
• E-commerce suppliers / outsourcers are least trusted by dotcoms (21%)
• Internal risk / insurance specialists are also low on the list - for medium / large (30%) and small companies (33%)

About the Survey

MORI carried out a telephone survey of 303 respondents among dot.coms and mainstream companies in the UK. Total completed interviews were 43 with dot.coms, 158 with medium/large mainstream organisations and 102 with small mainstream companies. Medium/large mainstream companies have an annual turnover of 1631m up to 163100m inclusive. Small mainstream companies have an annual turnover of 16350,000 up to 1631m. All of those interviewed are responsible for or play an influential role in deciding on the company's IT insurance buying. Interviews were conducted between 23rd and 30th January 2001 for dot.coms, between 23rd and 25th January 2001 for medium/large mainstream companies and between 5th and 9th February 2001for small mainstream companies.

xxx