Calling All Board Members: It’s Time to Seek Cybersecurity Help
In insight / By Phil Muncaster / 27 April 2017
We all know that organisations up and down the UK are facing an ever-growing threat from cyberspace. But just how big is the scale of this threat, and how well prepared are firms to defend themselves from an agile and determined enemy? These are always difficult questions to answer, but some new reports issued over the past week or two help shine a light on a topic about which so much said is often conjecture. According to the government, around half (46%) of UK firms suffered at least one attack last year.
If these findings don’t focus the minds of boardrooms across the country, then a third piece of research just might, linking severe data breach incidents for the first time to share price performance. The results should make for pretty nervy reading.
Risk goes digital
Let’s start with the government’s Cyber Security Breaches Survey 2017, a 60-page report compiled by IPSOS MORI and experts at the University of Portsmouth after interviews with over 1,500 businesses of all sizes. It sets out the main challenges facing UK organisations today: namely that as more and more go digital, they expose themselves to the risk of cyber attack. Typical areas of risk included email, websites, e-commerce capabilities, online banking, cloud computing and BYOD.
So far, so predictable.
Then comes the interesting bit. On the face of it, UK firms are well aware of the challenges facing them from cyberspace. Some 74% of respondents claimed cybersecurity is a high priority for senior management, and 79% of mid-sized firms said they’d sought “information, advice or guidance” in the past year on cyber threats. What’s more, 87% of this category of firms have allocated budget to security.
Even more encouraging, half of all firms surveyed (52%) said they’d put in place “basic technical controls” across the five areas highlighted by the government-backed Cyber Essentials scheme. And 57% said they’d tried to identify cyber risks through health checks or risk assessments, up from 51% in 2016.
No formalised approach
However, the bad news is that this is where the best practice appears to end. In fact, the picture is of many organisations failing to put even basic protections in place. For example:
• Just 11% have an incident management plan
• Only 29% have a board member responsible for security
• Only 13% require third party to meet cybersecurity best practice
• A third have a formal policy covering cybersecurity risk
The news gets even worse when one considers the level of threats facing these organisations. Medium and large businesses in particular were particularly badly hit over the past year, with 66% and 68% claiming to have suffered at least one cyber attack or breach.
Are these findings incontrovertible? Not exactly. But the government isn’t alone in highlighting the level of risk facing UK firms. A few days earlier, the British Chambers of Commerce 2017 (BCC) issued its own research claiming that 42% of firms with more than 100 staff had suffered a cyber attack in the past year. Sound familiar?
Time to take notice
Unfortunately the reaction of many board members is all too familiar: ignore the security guys and focus on commercial interests until you’re hit by the big one – a breach that could send the firm into freefall. TalkTalk’s 2015 breach only compromised around 160,000 customers but ended up costing the firm in excess of £60m thanks to a combination of fines, clean-up costs and customer attrition.
Yet despite high profile incidents like these, many board members continue to stick their collective heads in the sand. That’s why a new report 2017 from Oxford Economics could be a useful one for security bosses to have handy.
It calculated that FTSE100 PLCs can expect their share price to drop by £120m or 1.8% on average following a severe breach. Given the lack of research in this area thus far, it’s a valuable reminder of the benefits of taking a proactive approach to threat prevention.
What happens next?
So where do we go from here? Well, one positive highlighted by both the BCC and government was the value of the Cyber Essentials scheme. This security certification scheme allows firms to implement a baseline of best practice security that if done correctly should prevent the vast majority of attacks out there. Yet only 8% of firms are aware of it, according to the government.
The BCC was more optimistic, claiming a quarter of firms have cyber security accreditations in place. But more awareness raising clearly needs to be done, especially when half of those it interviewed said such certifications give their business a competitive advantage.
If you’re a smaller organisation struggling to find the time and resources to investigate schemes like this, consider finding a managed services partner who can help you with this. And don’t forget to hold your third-party suppliers to the same standards, because if they’re compromised, it could give hackers easy access to your systems.
Cybersecurity can often seem intimidatingly difficult to get right. But that’s exactly what the hackers are counting on. That’s why a little effort to make sure you’re spending that budget on the right things, will go a long way.