Half of UK businesses expect to be hit by a cyber attack and that recovery costs will be £1.2 million or more.
This is the highest figure globally, according to the Risk:Value 2016 report by information security and risk management company NTT Com Security.
The report is based on a survey of business decision-makers in the UK, the US, Germany, France, Sweden, Norway and Switzerland.
Although about 50% of UK respondents said information security was vital to their organisation and agreed it was good practice, 20% admitted that poor information security was the single greatest risk to the business, ahead of decreasing profits (12%), competitors taking market share (11%) and on a par with lack of employee skills (21%).
Well over half (57%) agreed that their organisation would suffer a data breach at some point, while only one third disagreed and one in 10 said they did not know.
They expected recovery from a cyber attack to take an average of two months, and they anticipated a 13% drop in revenue, on average, following a breach.
The survey showed that recent high profile data breaches are starting to hit home, with organisations spending 11% of their IT budgets on information security, up from 10% the previous year.
However, nearly a quarter of the UK businesses surveyed revealed that more is spent on human resources than on information security.
Detailing remediation costs following a security breach, the report said respondents indicated that they expected 18% to be spend on legal fees, 18% on fines or compliance costs, 17% on compensation to customers, and 11% on third-party remediation.
Other anticipated costs included PR and communications (14%) and compensation paid to suppliers (12%) and to employees (11%).
According to the report, the vast majority of UK respondents admitted they would suffer both externally and internally if data was stolen, including loss of customer confidence (66%) and damage to reputation (57%), as well as direct financial loss (41%). More than one-third of decision-makers (34%) expected to resign or expected another senior colleague to resign because of a breach.
The study found that although only 41% of UK organisations have a disaster recovery plan in place and only 40% have a formal security policy, in both cases almost half are in the process of implementing or designing one.
In terms of responsibility for managing a company’s recovery plan, 15% of respondents said the CEO now has responsibility, although it still largely falls to the chief risk officer, chief information officer or chief security officer.
While 77% agreed it is vital that their business is insured for security breaches, only 26% have dedicated cyber security insurance – but 38% are in the process of getting a policy.
One in five UK respondents said they did not know if their organisation had any type of insurance to cover for the financial impact of data loss or an information security breach.