By Stephen Hancock, information security expert
The results are in. Britain’s businesses need to get better at protecting themselves from cyber criminals. The UK’s Department for Culture, Media and Sport’s annual Cyber Security Breaches Survey seeks to uncover business attitudes toward cyber security and the nature and impact of breaches. So what picture emerges when we focus on medium and large businesses?
- The results strongly support the oft-repeated message – ‘It’s when, not if, you get breached’. Nearly 70% of medium and large businesses reported breaches or attacks in the last year. Phishing was by far the most frequent attack with 72% falling foul to them.
- Ransomware is a new category of attack this year and is already at fourth place, with 17% reporting having been hit with ransomware demands. Some businesses feel they’re at low risk because they have little ‘valuable’ data, eg customer credit cards and bank accounts. And while it remains true that firms holding customer data suffered more breaches, the rise of ransomware shows the data only has to be valuable to you to be of interest to criminals.
- Despite the high level of attacks and breaches, there’s some evidence of complacency. Around 90% of medium and large firms say cyber security is a high priority for senior management – something the report cites as evidence of a strong security culture. But less than half have had staff attend training on cyber security in the last 12 months – and almost 40% don’t have a formal policy on cyber security. This is despite the prevalence of phishing.
- 10% of medium and large companies still don’t have guidance on selecting strong passwords and lack security controls on company laptops. Food and hospitality firms show particular weaknesses even though they’re especially at risk of breaches involving loss of customer data.
What might be surprising to some is the relatively low cost associated with an attack – just under £20,000, on average, for large firms. But while the average cost of handling many low-level attacks may be relatively cheap, the cost of a single breach that leads to the loss of personal data can be very different. The 2016 IBM/Ponemon Institute Cost of Data Breach Study for the UK put the average cost of a data breach at £2.53 million and this is only likely to increase when the penalties under the European Union General Data Protection Regulation begin to bite. A major breach may also have a significant effect on reputation and customer confidence. For example, TalkTalk’s breach cost the company an estimated £60 million and the loss of 95,000 customers, as well as a sharp drop in their share price.
So what should companies do?
I find the best prepared organisations share some common characteristics:
- they assess the risks to their business, using a formalised approach such as ISO27005 to include information assets, threats, vulnerabilities, impacts and likelihood
- they seek to meet the cyber security controls set out in standards such as Cyber Essentials ISO27001 and PCI DSS
- they seek advice on the state of their cyber security in order to obtain an independent view of their strengths and weaknesses
- they actively test using vulnerability scans and penetration tests – simulating the sort of attacks that a hacker may use and then acting quickly to block potential vulnerabilities
- they plan and test their responses to data , using security scenarios and cyber war-games, so that if the worst happens they are well prepared and can respond quickly and minimise damage
- top management is committed to continuous vigilance and improving cyber security, recognising that a sound security culture – where everyone in the organisation understands the risk and knows what part they can play in keeping their organisation and stakeholders secure – is essential.
Adopting these approaches – in a proportionate and relevant way for your organisation – will go a long way in helping you protect your organisation, your people and your customers from the constantly evolving cyber threat.