We polled 152 business and legal professionals on data the data security threats affecting them most, and what their institutions are doing to combat them.

Data security threats are becoming a larger and larger concern for businesses and their advisers, especially in the M&A and deal making space, but there’s a lack of clarity on how to prepare for these threats and combat them when they come up. As a virtual data room provider for M&A deals and corporate document sharing, Firmex was interested in getting more concrete answers. So we conducted a poll asking professionals for their thoughts on cyber attacks, what their companies have done, and how they have been affected so far. As we will show, the results demonstrate a clear need for greater protections against cyber attacks and data breaches, as fears become pervasive, a significant number of companies see their bottom lines affected, and institutions remain slow to act on comprehensive data security measures.

The polling sample

Our data is based on the responses of 152 business and legal professionals. In order to arrive at this sample, we asked respondents to identify their occupations, and removed anyone not specifically in these industries, including students, members of other occupations, and those who left the field blank. In all, there were 152 usable respondents from a total field of 226.

Among those, their occupations are divided as such:

Focusing in on the 25% who reported “other” as their occupation, they wrote in the following industries:

Overall, our sample represents a wide variety of business and legal professionals, and leans most heavily toward investment banking and other industries directly involved in or adjacent to M&A.

Growing Data Security Risks

Respondents indicated that there are growing cybersecurity concerns across the boards. When asked the question, “Do you feel the threat of cyber attacks has increased in the last year?,” an overwhelming 85.4% said yes.

On top of that, an alarming one in five respondents reported that a cyber attack has already affected their company’s bottom line. While still a minority, the severity of risks associated with cyber attacks, and the potential for lost money, makes that a significant concern for businesses and law firms.

Going deeper into the group of respondents who reported a cyber attack already affecting their company’s bottom line, this is how they break down by industry:

The largest segment comes from investment banking and M&A advising, while about a quarter each come from business development and accounting. The presence of M&A professionals is particularly alarming, since hackers have increasingly targeted the deal space with their attacks over the past year and a half.

In late 2014, a study found that cyber criminals had hacked more than 100 companies, advisers, and law firms for information on deals that they could use to affect the marketplace. In fact, it found that up to five organizations per deal had been hacked – consistent with our findings that 1/5 respondents reported an attack affecting their bottom line.

Companies responding with cybersecurity measures, but still not doing enough

Institutions seem to be aware of growing risks and are making some efforts to combat them. In response to the question, “Has your company increased efforts to combat cybersecurity in the past year?,” 65.1% of respondents replied “yes.”

This squares with PwC’s 2016 Global State of Information Security Survey, which found that organizations across the world had increased their information security budget by 24% in 2015, and are increasingly buying insurance against losses incurred from security breaches. That said, 65.1% still pales in comparison with the 85.4% of respondents who feel that the threat of cyber attacks has in increased in the last year, showing an alarming disparity between the two.

In fact, despite growing cybersecurity measures across organizations, only 42.8% of respondents said they had ever received cybersecurity training.

This is particularly problematic in light of the fact that the majority of cybersecurity breaches can be traced back to current employees, and a steadily increasing percentage can be attributed to business partners. There is clearly a need for more informed workers in addition to infrastructure investments.

The hacking risks of email

Email is highly susceptible to data breaches, and is one of the most common targets of hackers, and yet it remains the most common form of communication and document exchange in businesses. In their study on M&A and data security, FireEye uncovered and tracked the activities of the FIN4 group, which targeted deal information by sending emails laced with malicious links and downloads to board level executives and corporate development teams. And yet, 68.4% of our respondents feel that email has an average to high level of security, while only 31.6% feel that it is not secure.

With mounting cybersecurity risks across industries, it’s essential for businesses and law firms to do more to combat data breaches. This means adopting secure communications and document sharing programs, tuning up security infrastructure, and training employees in security best practices. Only with this joint approach can institutions avoid significant threats to their bottom line.

