The Institute of Directors (IoD) is warning that firms are not taking cyber security seriously enough.
The research, conducted with Barlcays, found that just 28% of cyber attacks are being reported to the police. Companies were found to prefer not to report attacks, despite 49% of attacks causing interruptions to business practices.
Richard Brown, Director EMEA Channels & Alliances at Arbor Networks, said: "The fact that cyber-crime is not being reported and businesses are paying hackers’ ransoms is very concerning. It will also be a worrying thought for many customers who will wonder whether their data has been compromised."
91% of the business leaders surveyed said that cyber security was important, but only 57% had a formal stragey in place to protect their firm, with 20% having insurance for a cyber attack, and 21% considering it in the next 12 months.
Professor Richard Benham , who authored the report, said: "As attacks become more prevalent and increasingly sophisticated, businesses need to defend themselves, know how to limit damage, and be ready to respond quickly and comprehensively when the inevitable happens. No shop-owner would think twice about phoning the police if they were broken into, yet for some reason, businesses don’t seem to think a cyber breach warrants the same response."
The IoD reported that one in eight of its members had experienced damage as a result of a cyber attack that interrupted businesses. "The implication of this figure is that anti-virus software/firewalls are not being used effectively either by the business or their provider," said the report.
Benham said that the research, which was compiled on the basis of responses from nearly 1000 members of the IoD, emphasised that cyber attacks need to be taken seriously at the very highest levels of a business, saying that it should become "a boardroom priority."
The report said that 49% of respondents provided cyber awareness training for staff, and 6% said that they had not spent anything on cyber security over the course of the last year.
"Businesses need to develop a cyber security policy, educate their staff, review supplier contracts and think about cyber insurance," said Benham.
The research also found a lack of awareness in key cyber issues. While 59% said they outsourced their data, 43% didn’t know where the data was physically stored, a statistic the IoD describes as "truly frightening".
Stephen Love, Security Practice Lead – EMEA at Insight UK, said: "It is crucial businesses assess just what portion of their data is most valuable and needs closer security attention. Not all data in an organisation would be deemed ‘sensitive.’ By carrying out a thorough assessment as to what data is uniquely distinct to the organisation, then discovering in what ways it’s at risk and putting in place security measures accordingly, every organisation can feel confident that they have the best defensive measures possible in place. "
21% were unsure whether or not they held cyber insurance, while 68% had never head of the UK’s national reporting centre for fraud and internet crime Action Fraud Aware.