For anyone in doubt over the scale of the threat posed to businesses by cyber security attacks, the findings of a UK government survey yesterday made for sobering reading.
The 2017 Cyber Security Breaches report – which questioned more than 1,500 businesses – revealed that almost half of UK firms were hit by a breach or attack in the past year.
No one wants to admit they have been hit by a cyber attackAusten Clark
• READ MORE: Clear command and control needed in cyber-crime war
As a number of high-profile cases involving the likes of TalkTalk, Tesco Bank and eBay have underlined, the potential financial, operational and reputational impact of an incident can be significant. The average cost to large businesses of a breach was estimated at £20,000 by the survey but in some cases that figure reached into the hundreds of thousands or millions.
Of the businesses which identified a breach or attack, almost a quarter had a temporary loss of files, a fifth had software or systems corrupted, one in ten lost access to third-party systems they rely on, and one in ten had their website taken down or slowed. Businesses holding electronic personal data on customers were much more likely to suffer cyber breaches than those that do not (51 per cent compared to 37 per cent).
Small businesses can also be hit particularly hard by attacks, with nearly one in five taking a day or more to recover from their most disruptive breach.
The most common breaches or attacks were through fraudulent emails such as those coaxing staff into revealing passwords or financial information, or opening dangerous attachments. Viruses, malware and ransomware – where an attack encrypts a company’s data and then demands money to unlock it – were also high up in the list.
The government has committed to investing £1.9 billion to improve defences against cyber attacks with initiatives including free advice and online training to businesses through the Cyber Essentials and Cyber Aware schemes.
Although some attacks are highly organised and targeted, Ciaran Martin, chief executive of the government’s National Cyber Security Centre, points out that most are not and that businesses can take relatively simple steps to protect themselves.
“The majority of successful cyber attacks are not that sophisticated but can cause serious commercial damage. By getting the basic defences right, businesses of every size can protect their reputation, finances and operating capabilities,” he says.
The survey identified a number of areas where business could do more, including having formal policies on managing cyber security risk, cyber security training and planning for an attack with a cyber security incident management plan.
• READ MORE: Cracking the global cybersecurity conundrum
A separate survey earlier this week also found a worrying lack of action among many firms. Only a quarter of firms surveyed by the British Chambers of Commerce said their business has security measures in place to guard against hacking,
According to Austen Clark of Turriff-based IT firm Clark Integrated Technologies, the problem could be even worse than the figures suggest. “Cyber-crime is a bit like the elephant in the room,” he argues.
“Everyone has heard of it and has stories relating to ‘other businesses’ but no one wants to admit they have been hit by a cyber attack as there seems to be a stigma around being a victim of a scam or con.
“As cyber-criminals become more determined and better organised, no business can afford to take its eye off the ball. Firms of all sizes, from major corporations to one-man operations, can be victims so all need to be proactive about protecting themselves.”
Mike McGlynn of IT supplier World Wide Technology, which works with some of the biggest firms in the world, believes that changes in working practices aimed at helping drive efficiencies are now also exposing many businesses to an increased threat of breaches of attacks.
The growing trend for employees to use their own phones and computers to access company data – known as Bring your own Device (BYOD) – is opening up a whole new raft of risks. Enabling employees to use the phone or PC they are familiar with from personal use can boost productivity and reduce IT costs but McGlynn says companies need to also make sure they take steps to protect themselves in an increasingly connected world.
McGlynn points out that the pace of change being seen in technology means that even the manufacturers of devices may not be in a position to regularly patch software in order to protect against online threats, let alone the businesses that are allowing such devices to connect to internal business systems.
“BYOD has certainly proved a challenge for many organisations, but the predicted explosion of connected devices – to reach 20.8 billion globally by 2020 – means that companies must take a holistic approach to cybersecurity,” he warns.