According to a recent report by the BBC, 55% of businesses have reported cyber-attacks in 2019.
That’s up from 40% in 2018. Except we’re only four months in to 2019.
There’s also been a sharp increase in losses incurred, averaging at around £176,000. But note that this is across all claims made with insurance companies. The sizes of business and the case by case losses will vary wildly and suggests some companies are taking big hits.
Regardless it demonstrates an alarming increase in attacks. Moreover, the same insurers who are reporting the sharp rise in claims are also saying that the number of organisations scoring top marks for their cyber security is dropping.
Research suggests that the UK businesses are dangerously underspending compared to Europe and the US.
In the cases of multinationals, UK firms are spending 39% less compared to the rest of the group.
Perhaps there is a perception that UK businesses are less likely to fall foul of cyber-crime. But these numbers suggest very differently.
The report comes after news that half a billion Apple users were attacked by eGobbler, attempting to hijack their Chrome browser on iOS.
Although largely focused on the US, it highlights that attacks aren’t just limited to big business. But rather the exploit came because of a big business.
Considering the recent revelation that Facebook have been storing passwords in plain text form on their servers goes to show how millions can be affected by businesses not taking security seriously.
Knowledge is Power
One of the biggest challenges seems to be a lack of awareness by businesses that cyber security is a genuine threat to their long-term survival.
Cyber security companies, anti-virus software developers and others are working hard to counter the maddening number of threats. But the end users have a wildly varied level of understanding as to the dangers.
This is understandable to an extent. Most businesses are too pre-occupied with the matters of running a business to worry about cyber security.
Especially if that business – on the surface at least – has nothing to do with the online world.
But all it takes is an unguarded network connection.
Unless an organisation has an in house or outsourced IT professional working to keep the infrastructure safe then the business is vulnerable.
However, hacks are only part of the problem.
A ransomware attack hidden in an email attachment can bankrupt a business or force it to close. Improper storage of client information could lead to crippling lawsuits and even criminal prosecution for data protection breaches.
In April 2019, fake US State Department documents were used in a European embassy cyber-attacks. Which goes to show no amount of systems and software can protect you from an unwitting click on an email attachment.
Although brute force and DDoS are types of attack we most commonly associate with cyber-attacks, the truth is cyber criminals are becoming increasingly more inventive in how they can steal information and money.
But ultimately, they are capitalising on the failure or unwillingness to act by businesses who aren’t taking cyber security seriously.
Or simply haven’t had the information put in front of them.
Government guidance exists on cyber security as well as the Cyber Essentials certification process. But businesses and individuals need to know it’s out there.
This is the crux of the issue – it’s very difficult to communicate important information to everyone. The government could advertise on television, use paid search and post on social media. They could email every registered company on the Companies House database.
But there is absolutely no guarantee that every business owner would see it. Or act on the advice.
The Cost of Doing Business
Most things in life come at a cost. If we want a service, we pay for it. Which includes the things we need over the things we want.
Where that comes unstuck is when we don’t see the value in a service or product. What good is a firewall or virus protection software when the business has never had a virus or ever been hacked?
What good is a screening tool to vet attachments when no one has ever downloaded anything dodgy?
A freemium virus protection programme will do. For the entire organisation.
Or cracked version of Norton that can download updates.
The answer is – of course – painfully obvious.
Considering the inconsistent messaging surrounding cyber security, the lack of awareness and the general reluctance some businesses have in investing in their IT infrastructure this, it’s also hardly surprising.
Although, the biggest challenge facing the cyber security and IT businesses may not be awareness. After all, someone not knowing they need proper cyber security isn’t a problem, it’s an opportunity.
The problem is helping those businesses – who may be cash poor, or simply lack budget – understand that spending money on a robust network is an investment.
The challenge of course is communicating the value of something that is largely intangible, may never be needed or – potentially – may not work.
The validity of good cyber security isn’t that it’s impenetrable but able to hold out longer than is profitable for the hacker to sustain the attack.
The fact that no one can guarantee the security measures will be 100% effective isn’t an easy sell. Especially when you’re asking a business to not only hand over hard-earned cash but put the safety of their business in your hands.
Although it may be frustrating to hear that no security is inviolable, it’s not half as frustrating as watching your business get dismantled because you didn’t have any at all.
What’s the answer?
There is no easy fix unfortunately.
There is an argument for making insurance companies insist on a basic level of cyber security in order to insure businesses against cyber-attacks. The Cyber Essentials certification for example.
Although the more likely outcome would be that businesses would choose to exclude cyber-attacks from their policy to save themselves the time, effort and cost of making their business compliant.
Plus, it would make their insurance premiums lower too.
The alternative would be to legislate in favour or making cyber security a requirement. But – as we’ve observed before – this puts a tremendous amount of power into the hands of the businesses that implement the solutions.
They would be able to charge what they like in order to put in place government mandated measures.
That’s bad for everyone.
A third option is to fine businesses who fall victim of preventable cyber-attacks. Although, again this would cause the same issue with solution suppliers.
A better alternative would be to incentivise businesses instead. Either through the form tax rebates or other benefits, businesses who invest in cyber security, and meet the highest government standards are rewarded accordingly.
The answer isn’t a simple one. Or even a cheap one. There needs to be a mindset change in businesses of all sizes to acknowledge that they are all a potential target for cyber-attacks.
And rather than looking for the lowest cost, look for the best solution. Or at least the best value solution.
Of course, there are budgets and spending limits. After all what good is the best cyber security if it bankrupts the business? But chances are there’s a solution out there to meet requirements and suit budgets.
Regardless, the numbers suggest we’re passed the point where cyber security is a luxury. Or a nice to have.
Or if you’re looking for you next role, submit your CV.