Back in 2020, it was reported that if it were measured as a country, then cybercrime would be the world’s third-largest economy after the United States and China. So it’s hard to overstate the significance of the issue.
Looking at matters on a more local level, the Government’s own statistics show that 39% of UK businesses identified a cyber-attack in 2022 (Cyber Security Breaches Survey 2022), broadly in line with the findings of previous years.
However, independent surveys put the number at more than 80% (Cyber Edge Group, 2022). The cost to the UK economy is estimated to be £27 billion annually.
The surveys also show:
- Phishing is the most common type of attack (83%)
- 31% of businesses are attacked at least once a week
- 20% experienced a negative outcome
- £19,400 average cost of loss for medium and large businesses
Reporting of Attacks
The reality is that businesses are under attack without even realising it. What’s more, it’s often some considerable time after the event when attacks are uncovered - if at all. Figures vary considerably but it’s typically 180 to 350 days between breach and detection. And naturally, many organisations are reluctant to admit to this.
Just paying off attackers and brushing things under the carpet is no longer an option. Under GDPR and the Data Protection Act, the ICO (Information Commissioner’s Office) must be informed of any significant breaches within 72 hours.
Thus, no sooner had we rung in 2023 and both the Royal Mail and The Guardian came under attack, causing severe disruption to their businesses, clients, and employees. If large organisations like this are vulnerable, what hope is there for the more typical SME?
So it’s a bad situation, and it’s not getting any better. It seems the hackers are always one step ahead; as soon as you enhance your defences, some miscreant smashes through them.
Too Many Businesses Are Not Prepared
The Government’s survey showed that fewer than one in five businesses have a formal ‘incident response plan’. What’s curious is that nearly four in ten businesses outsource their cyber security function; one would have thought that those specialist suppliers would urge their clients to develop such a plan. It’s absolutely essential that you know what to do when the worst happens; failure to have a plan could be considered reckless.
It's clear to see why smaller businesses do outsource their cyber security function; small businesses cannot justify a full-time, permanent in-house resource. Nevertheless, only 13% of businesses assessed the risks posed by their immediate suppliers, with organisations saying that cyber security was not an important factor in the procurement process. This is worrying, and businesses need to more fully appreciate the risk they are exposing themselves to in their supply chain.
Expect Better From Your Employees
One thing worth singling out, and not really covered in many reports which tend to focus on malicious, outside threats, is the role of employees in protecting your information. Many cyber-attacks happen due to human error, such as falling for phishing scams, inadvertently downloading malware, using weak passwords, or not following proper security protocols. A PwC report in 2020 found 32% of data breaches were caused by employee or contractor mistakes; even worse, a study by IBM found that 95% of all security incidents are caused by human error. So, employee training is essential. They also need to understand the company's incident response plan and their role in it should an attack occur.
Accreditation to the Government-recognised Cyber Essentials scheme is the minimum that any business should aspire to. It’s a basic security checklist that you should probably be able to implement without any specialist support. It can also help you when bidding for contracts, especially those in the public sector.
But for much more rigorous, comprehensive security (encompassing information held in all formats, not just digital), businesses should aspire to implement the ISO 27001 Information Security Management System.
This worldwide standard for best practice is the gold standard, yet realistically achievable. It’s not just about cyber security. It provides a framework for managing and keeping secure sensitive company and customer information, no matter what format it is held in. For larger contracts, it’s increasingly becoming a requirement. Even if it’s not a necessity, being ISO 27001 certified puts a business ahead of the competition and provides reassurance to clients and everyone in the supply chain.