UK organisations of all sizes are under cyber attack from a persistent and dogged online enemy. They’re not alone in this, of course. But several new reports over the past few days have highlighted the sheer scale of the threat facing them. The British Chambers of Commerce estimated 20% of businesses have suffered an attack over the past year, while the government (pdf) put the figure at nearly half (46%). Both may be significantly underestimated given the current lack of mandatory breach reporting in the UK and the fact that many organisations suffer from a lack of visibility into key systems.
However, with strict new European data protection laws set to land in little more than a year, there’s no time to waste. UK firms urgently need to improve their defences. It will require a combination of people, process, and technology, but needn’t be overwhelming.
Threats are growing
The reports reveal a nation under attack from hackers able to hide behind the anonymity of the internet and strike at will with tools and intelligence gleaned from the darknet. The government’s Cyber Security Breaches Survey 2017 claimed that UK firms on average suffered 998 breaches/attacks over the year – the number inflated by those very small organisations suffering hundreds or thousands of attacks during the period.
Email and web channels are by far the most commonly targeted. Of those suffering an attack/breach, the largest majority (72%) flagged fraudulent emails or being directed to fraudulent sites. Next came viruses, spyware or malware (33%), followed by fraudsters impersonating organisations in emails or online (27%).
A hefty bill
These threats aren’t necessarily difficult to guard against with standard best practice security measures – many are not particularly sophisticated or targeted. But firms seem to be shooting themselves in the foot by failing to put these basics in place. Only 11% of respondents had an incident management plan in place, for example, while just 20% said they’d trained staff in the past 12 months. And a little over a third (37%) said they had rules around data encryption.
You can bet the threats will continue to grow as long as more and more firms move their businesses online without taking adequate precautions. Even big brands like Wonga have been caught out recently, in a breach which may have affected as many as 270,000 customers.
The average UK business can expect a bill of £1,570 following an attack, rising to nearly £20,000 for large firms, according to the government. This is only taking into account direct costs, however. Far harder to estimate is the impact on brand and reputation, which can send share prices tumbling and customers racing for the door. TalkTalk’s 2015 breach, for example, affected fewer than 160,00 customers but ended up costing the firm at least £60 million.
The fightback begins
The government report highlights several positives: 74% of respondents claimed cybersecurity is a high priority for senior management while 67% said they’d allocated budget to cyber. However, you need to spend that money in the right areas, and to focus hearts and minds in the boardroom on the task in hand. A recent report from CGI Group for the first time linked data breaches to share price performance, claiming FTSE100 firms experiencing a severe incident typically see 1.8% of their value wiped. This is the kind of data to get the board’s attention.
Here are a few other tips which could help firms improve their cybersecurity posture:
• Draw up a formal cybersecurity policy
• Invest in cybersecurity training, for permanent and temp staff, refreshed annually
• Seek out government accreditation schemes like Cyber Essentials to help establish a baseline of good security
• Raise the profile of cybersecurity on the board; appoint someone with responsibility for the function
• Implement email and web gateway security from a reputable provider
• Consider encryption for your most sensitive data
• Implement an incident management plan
• Don’t forget to cover suppliers and third parties in any cybersecurity planning
Comprehensive cybersecurity is a matter of national security and requires the participation of all stakeholders. An effective strategy must include multiple layers of security, robust data protection, and ongoing user training and awareness.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.