Today's CEOs have enough on their plates; profitability, growth, spiralling costs, reputation and compliance. Cybersecurity often comes way down the list. But just one breach could undo all your efforts. Interrupting your business, losing customers and leaving you open to litigation and investigation.
Let's start by being clear on what we mean by UK cyber attacks. It's any electronic or online intervention by a malicious source. It's designed to restrict business, reduce access, steal data or intellectual property. Often, the aim is to extract funds by direct fraud or ransom demand.
Will you be on the list of UK cyber attacks?
Probably yes. 39% of UK businesses were subject to at least one cyber attack they knew about in 2022*. Of these, the most common (83%) was a phishing attack, where innocuous-looking communications dupe staff into taking actions that allow malicious access to sensitive data and/or financial instruments.
The remainder were more sophisticated attacks, such as a denial of service, malware, or ransomware attack, where the perpetrators demand funds to allow the target business to continue trading or to prevent the malicious use of their (and their customers') sensitive data.
Due to reputational damage, many such attacks go unreported unless customer data is compromised, so the figures are probably much higher.
So what are the business implications?
20% of these businesses directly lost funds or data. Over 35% experienced some form of impact. That included making provision for tighter security, diverting staff from other tasks, repair and recovery costs. It also included the loss of goods or services, loss of reputation, revenue or share value, customer complaints. Plus compensation, fines, legal costs and direct payment of ransom.
For businesses that report a material outcome, nearly 40% took over 24hrs to recover, and 8% took up to a week.*
And the financial costs?
Where a breach caused an identifiable outcome, the mean cost to small businesses was £3,080, rising to £19,400 for larger firms. Add to that the average indirect costs of £3,770 for the most disruptive breach (time when staff could not work, lost files or intellectual property and the cost of devices or equipment that needed replacing).
So, is your cyber security typical?
Here's the concluding paragraph from the UK Government Report 'UK Cyber Security Breaches Survey 2022':
"…there is room for improvement in many elements of organisations' cyber hygiene. It is clear that cyber resilience is highly influenced by board behaviours.
Though the high-level prioritisation of cyber security amongst boards is high, this does not translate into high expertise. Furthermore, cyber and IT staff are unable to justify the business case for cyber security, which impacts the ability to make effective cyber security decisions.
This means investments are often not made into key areas that enhance organisations' cyber security. This leads to a reactive approach to cyber incidents as opposed to a proactive approach in limiting cyber risk."
This attitude among boards has meant that just over half of businesses (54%) have acted in the past year to identify risks from cyber security attacks and to put precautions in place. Security monitoring tools were the most common at 35%.
Limited understanding resulted in board members often passing responsibility for risk to insurance companies (the 'horse has bolted' option, so no reduction of reputational damage). Alternatively, it was given to an internal cyber colleague (as shown above, this was only sometimes subject to high expertise) or outsourced to cyber providers.
The benefits of outsourced cyber security
Small, medium, and large businesses outsource their IT and cyber security to an external supplier 58%, 55%, and 60% of the time, respectively. They cite access to more significant expertise, resources, and cyber security standards. And with good reason. The arguments for outsourced cyber security are unequivocal for all but the largest businesses...
- The security landscape is changing daily. It is almost impossible for smaller IT departments to maintain the skillsets necessary to keep pace with the arms race of organised crime and malicious viruses. Most good MSPs would have the expertise, the capacity, the diversity of skills and the up-to-date anti-virus solutions and patches to maintain third-party cyber security AND respond quickly and appropriately in the face of an attack or a breach.
- Turn CapEx to OpEx. Instead of funding spikes for software and hardware updates, threat response and skills gaps, costs can be spread, reducing the need for board permissions and fiscal black holes.
- Staff churn, illness, holidays, and maternity/paternity leave; affect staffing levels in all businesses, particularly in smaller organisations. Working with a reputable MSP will ensure the right people, with the right experience, are always on hand to maintain your defences and respond to threats appropriately.
Before you upgrade your internal cyber threat resources, consider the benefits of outsourcing so you can concentrate on your core business and your IT team can focus on more productive projects. Give someone else the headache of dealing with UK cyber attacks.
*Figures sourced from Gov.UK Cyber Security Breaches Survey 2022