In the last 12 months 32% of businesses identified a cyberattack or breach. The resulting loss of data or assets have cost firms an average of £4,180, up by more than £1,000 since 2018, according to the UK Government’s latest Cyber Security Breaches Survey 2019 published this year.
While the number of cyber-attacks on businesses is down on the previous year’s figures, cybercrime is still costing firms dearly. That’s why it’s more important than ever to protect your data and ICT (Information and Communications Systems).
Cyber Security Awareness Month
October is Cyber Security Awareness Month and it aims to highlight the cyber threats which businesses face on a day-to-day basis. This annual awareness-raising campaign promotes cyber security and the importance of protecting yourself online. It’s a timely campaign to remind ourselves about the cyber risks and types of attacks out there, and the action which all business, small or large, can take.
How businesses stand to lose out from cyber threats
Clear risks remain for businesses who don’t take the necessary steps to protect themselves from malicious cyber-attacks – these include:
1. Financial loss – the average (mean) cost to the business was £4,180 in 2019. This is higher than in 2018 (£3,160) and 2017 (£2,450) (Cyber Security Breaches Survey 2019)
2. Loss of productivity – the cost and time of fixing cyberattacks is often overlooked
3. Reputational damage – a possible long-term and intangible cost.
The huge potential financial losses should be an incentive to sit up and take notice but there is also a further danger lurking for SMEs – that of loss of business from larger firms. This is because larger UK companies are increasingly demanding good cyber security standards from their suppliers. SMEs who don’t secure businesses adequately may find themselves ruled out of the supply chain.
The Government’s Cyber Security Breaches Survey 2019 also found that of the 32% of businesses identifying breaches or attacks in the previous year:
● 48% identified at least one breach or attack a month
● 27% took up staff time dealing with the cyber attack
● 19% had staff stopped from carrying out their daily work.
Types of Cyber Attacks
The types of cyber-attacks commonly experienced by the 32% who had been attacked included:
● Phishing attacks – to which the majority (80%) of firms had fallen prey
● Attacks impersonating another organisation via email or online – 28% had been targeted this way
● Viruses, spyware or malware, including ransomware attacks – 27% experienced these cyber-attacks.
While fewer businesses had experienced attacks compared to the previous year, the ones which had been victims were experiencing more of them. Once cyber criminals find a digital vulnerability they continue to take every advantage.
What actions can SMEs take to increase cyber security?
There are many software and hardware solutions to help protect your online security but it’s just as important to think about your own actions, and those of the people you work alongside. Where there has been a change in attitude amongst business towards their cyber security, the Governments Survey found that the following shifts in behaviour had taken place:
● Written cyber security policies – these are becoming more common amongst businesses; the survey found 33% of businesses had written policies compared to 27% in 2018
● Cyber Security Training – 27% of businesses were more likely to have staff attend relevant training in the previous 12 months
● Government’s Cyber Essentials scheme – 56% of businesses said they had implemented controls in all the five technical areas listed under the Government’s Cyber Essentials scheme . Crucially this included applying available software updates, installing up-to-date malware protection, firewalls with appropriate configurations, restricting IT admin and access rights to specific users, and security controls on company-owned devices.
● GDPR – 30% of businesses said they have made positive changes to their cyber security policies and processes partly due to the GDPR coming into force in May 2018.
In fact the 2019 Government survey found that 7 out of 10 businesses had some level of spending on cyber security, similar to the previous two years.
What are the cyber security priorities of a business-owner?
Many of the drivers for wanting to invest in cyber security will be familiar to business-owners. Amongst 920 businesses investing in cyber security, the Government’s Cyber Security Breaches Survey 2019 found the following top eight unprompted main reasons cited by them for wanting to pay more attention to cyber protection:
1. Protecting customer or donor data
2. Protecting trade secrets, intellectual property or other assets (e.g. cash)
3. Business continuity or preventing downtime
4. Preventing fraud or theft
5. Complying with laws or regulations
6. Protecting reputation or brand
7. Customers or donors require it
8. Protecting our staff and systems.
Outsourcing Cyber Security as a Solution
Yet despite the welcome steps and shifts in behaviour towards cyber security, too many firms have yet to take adequate action to protect themselves from cyber risks. It may be a matter of time pressures, other priorities or lack of expertise but the increased awareness of cybercrime is not always matched by adequate responses.
The Government’s Cyber Security Breaches Survey 2019 found that many firms were turning to outsourcing cybersecurity as a solution – almost half of all businesses (49%) and three in ten charities (32%) have an external cyber security provider.
What’s more outsourcing is more common among small and medium Businesses than others – a similar pattern to previous years –and among firms in the finance or insurance, and health, social care or social work sectors.
Of the 1,566 UK businesses in the Survey, the following percentages turned to external cyber security support providers:
● 67% of 281 medium firms
● 63% of 321 small firms
● 56% of large businesses
● 43% of 757 micro businesses
How can outsourcing help?
The survey found that some firms outsourced all aspects of their cyber security, useful when busy or over-stretched staff just don’t have the time to see to this vital function. Others chose to outsource a specific function, for example firewall installation.
The Government’s Cyber Security Breaches Survey 2019 observed: “Some organisations also saw outsourcing as a cost-effective way of bringing in additional expertise to supplement the skills within their organisation. These mirror the findings from an earlier DCMS study (published in December 2018) on the UK cyber security skills labour market.”
In fact, the Survey found a positive correlation between those firms treating cyber security as a high priority and those outsourcing this role as a way of improving their overall cyber resilience. The Survey also found:
“External providers were also an important source of information and guidance for organisations, so were also able to spread best practice. For example, one high-income charity working in social care had their external provider carry out training with staff around phishing emails. The charity felt this had led to improved staff awareness and behaviour.”
If you’re a business considering your cyber security options, then contact an experienced external IT provider who can advise on the best way forward to protect your data, assets and profits.