NCC Group analysis: UK Cost of Cyber Crime report and public perception

Business preparing for cyber events: ‘When not if’

There is no question that understanding the true cost of cyber crime to inform investment decisions remains a challenge for public authorities and private organisations alike. However, recent research shows [1][2], once more, that organisations should not just look to weather the storm but take proactive action to help prepare themselves for when cyber events happen.

Chief Executive of the National Cyber Security Centre, Ciaran Martin, just recently (January 2018) rather pointedly remarked that it was a matter of ‘when not if’ the UK would be hit by a category 1 cyber-attack [1].

Public belief: ‘When not if’ a cyber breach will occur

Recent research by the Costs of Cyber Crime Working Group [2] confirms that the public is similarly accepting of the inevitability of organisations being hit by cyber-attacks. Looking in detail at how best organisations should consider the reputational impact of cyber breaches, the Group found that “good reputation did not rely on never making mistakes”. Studies with members of the public have shown that cyber attacks could be forgiven, at least the first time round, so long as businesses took responsibility, swiftly offered solutions and treated customers with respect.

Where to invest: Response and preparedness

That means, though, that businesses should invest in their incident response and preparedness.

As the research pointed out:

  • Businesses should, at the very least, take care to understand the risk factors of cyber attacks potentially affecting their reputation. This includes the importance of data security as part of their business offer and the visibility, impact and timing of any likely attack among customers and key stakeholders.
  • Businesses should then use these assessments to develop more considered incident response and handling plans for future attacks. This should particularly take into account the importance of providing swift, honest and direct communications to customers, training customer service staff to reassure customers in response to queries, and putting in place adequate reimbursement or compensation procedures.

Fool me once, shame on you; fool me twice, shame on me

The Working Group research makes it clear that the public are likely to be less forgiving of a second breach. Despite the resulting crucial importance of getting incident response right, too many businesses still do not have properly thought out response plans in place that allow them to react to cyber attacks in the right way.


Prevention of cyber attacks, it is now accepted, is near impossible. A lack of preparedness and resilience for when cyber attacks do happen is thus careless at best. As cyber attacks become the new reality, public patience with those who aren’t waking up to smell the coffee might (rightly) run out.

More information about NCC Group’s incident response planning services is available here.


[1] -

[2] -

Published date:  26 January 2018

Written by:  Katharina Derschewsky

comments powered by Disqus

Filter By Service

Filter By Date