The latest Government report on UK business cyber security has landed, and it does not make pleasant reading.
The Cyber Breaches Survey is part of the Government’s five-year National Cyber Security Strategy to transform the UK’s cyber security and to protect businesses online.
The depressing bit…
The report reveals that almost half of UK firms (46%) have reported a cyberattack in the last 12 months, with the average cost to large businesses of all breaches over the period being £20,000 and in some cases reaching millions of pounds.
Unsurprisingly, those firms that hold personal data were more likely to be attacked by criminals (51% compared to 37% of firms who do not hold data). This seems obvious. It’s known that criminals are deliberately targeting firms that hold this information – personal data is a gold mine to the unscrupulous and can be sold on to reap a very high return.
The most unsettling information contained in the report describes commercial damages suffered by UK businesses who experience a data breach. These range from temporary loss of files, to corrupt software, databases and systems, losing access to essential third party systems, plus corrupted and frozen websites, that heavily impact online sales.
Revealingly, small businesses take, on average, a day or more to recover from a data breach.
The (slightly) more positive angle…
We’re not sure whether this should actually qualify as good news, but we like to be positive…
From the information contained in the report, it’s clear most incidents reported were not highly sophisticated cyberattacks by gangs of tech savvy criminals. Instead, common attacks were based around fraudulent phishing emails, leading staff into revealing passwords and financial information, or unwittingly infecting their business systems with malware and viruses.
Since the attacks are not complicated, then defences do not have to involve high tech wizardry or the latest software peddled by cyber security sales departments.
Basic, common sense measures (as demonstrated by the industry supported government backed Cyber Essentials scheme) will protect a company against most of these attacks.
There are even a couple of other positive trends.
It’s becoming clear that UK firms are increasingly concerned about data protection, with the need to protect customer data cited as the top reason for investing by half of all firms who spend money on cyber security measures.
Following high profile cyberattacks, businesses are now taking the threat seriously, with three quarters of all firms saying cyber security is a high priority for senior managers and directors; nine in ten businesses regularly update their software and malware protection; and two thirds of businesses investing money in cyber security measures.
So, it’s not all doom and gloom…
Why are businesses still being so heavily impacted by unsophisticated attacks?
Businesses are not implementing the basics. Areas where industry could do more to protect itself include adopting guidance on acceptably strong passwords (only seven in ten firms currently do this), formal policies on managing cyber security risk (only one third of firms), cyber security training (only one in five firms), and planning for an attack with a cyber security incident management plan (only one in ten firms).
Brian Lord OBE, former GCHQ Deputy Director for Intelligence and Cyber Operations, and now Managing Director for PGI Cyber, has commented the reason breaches are growing is, “because companies aren’t protecting themselves properly, because they are being confused by the cyber security vendors… It is necessary to simplify everyone’s understanding of the threat.”
We agree. Cyber security vendors are exploiting the low level of security understanding among UK businesses by flogging expensive and unnecessary bits of technical kit, rather than advising businesses to concentrate on the basics.
This isn't just a challenge faced by SMEs. We see it in some of the world's largest companies too. One of the reasons why the UK government has also gone back to basics and developed the Cyber Essentials standard; which addresses the most prevalent unsophisticated attacks that unsophisticated criminals launch against us.