SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image

Cybersecurity failures costing UK firms GBP £10 billion annually

Mon, 18th Nov 2024

Panaseer has unveiled research indicating that failures in cybersecurity controls are costing UK businesses GBP £10 billion each year.

A survey conducted by Panaseer of 400 security decision makers in the UK and US has highlighted significant issues facing security leaders, particularly regarding their lack of trust in reporting data and increased personal liability. The report titled "ControlWatch and the Continuous Controls Battle: Panaseer 2025 Security Leaders Report" examines these challenges and their implications.

The research shows that 61% of organisations experienced a security breach in the past year, attributing these to ineffective policies, governance, and controls. This has led to a total annual cost of GBP £10 billion for UK businesses. This financial impact comes as 90% of security decision makers report being expected to provide greater assurances on security control performance.

However, despite these expectations, there is significant doubt among security decision makers about the reliability of the data. The report revealed that 85% face increased scrutiny from the board, with 57% frequently asked to provide assurances yet lacking the necessary trusted data. Furthermore, only 55% feel fully confident that the data presented to senior management and the board is accurate.

The pressures facing security professionals have also led to an increase in personal indemnity insurance uptake, with 72% of security leaders securing such insurance to protect against the consequences of security failings. Another 20% are considering it. Despite these efforts, only 34% of insured security leaders have protection in perpetuity, leaving potential gaps if they change employers.

Jonathan Gill, CEO at Panaseer, commented, "In the wake of highly publicised attacks – such as the SUNBURST SolarWinds breach – regulators like the SEC are enforcing criminal charges and stringent rules on CISOs, who are under a corporate sword of Damocles. Their feet are being held to the fire by boards and regulators, but they lack the data to provide accurate insights. Some CISOs have been forced to plaster over the cracks with personal indemnity insurance. But this treats the symptoms without addressing the causes. If this this blame game culture continues whilst CISOs are left powerless to provide accurate assurances, many will leave the industry – either of their own volition, or at the behest of courts."

The personal liability placed on security leaders presents a mixed response. The report indicates that 75% feel they have more personal liability now than two years ago; 72% agree at least somewhat that this is fair. However, 28% view this liability as unfair, with some expressing emotions such as anger over the personal risk linked to security failings.

Gill further remarked, "It's understandable that security leaders have mixed feelings about having greater liability. For some, it will sharpen the mind – raising standards across the industry. For others, it'll pile more pressure onto an already demanding role. Ownership, accountability, and responsibility are positives in cybersecurity, but if those tenets go too far, they put undue stress on individuals, rather than the collective. The industry must avoid putting a target on a single person's back. CISOs shouldn't be made scapegoats for security incidents, whilst ignoring all the good work they do."

A critical issue identified is the lack of tools available to cybersecurity teams to provide reliable data and insights for board and senior management assurances. Panaseer's report shows 67% of teams are unequipped with the necessary analytical tools, resulting in visibility gaps and unclear risk pictures. This has added more burdens on security teams, impacting their ability to prevent breaches and justify cyber investments.

Gill concluded, "While other business units are empowered with specialised tools – like SAP and Salesforce – to enable data-driven insight, CISOs are often left to make do with disparate tools and no single trusted view. We need to even the odds, giving security leaders a system of record that offers a transparent view of every asset within an organisation. Armed with this golden source of truth, CISOs are empowered to provide assurances, report risk in good faith, discover gaps in security and plug them before a security incidents take place, protecting both themselves and their company."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X