Cyber security ignored? Two thirds of all big businesses in UK breached in the past year
A survey indicates that two-thirds of all UK big business have suffered cyber-attacks during the past year, and many were preventable. Were issues of cyber security ignored? Cyber security must inform every Board-level decision
Threats from hackers to British businesses are only getting worse, with a survey now revealing that two-thirds thirds of all big businesses in the UK were breached at some point or the other in the past year. Overall, 24% of businesses in the UK were breached, mostly either medium or large firms.
Is cyber security ignored?
The Cyber security Breaches Survey, undertaken by Ipsos Mori for the UK government, shows that the most common types of cyber security breaches were viruses, spyware or malware, and impersonation of the organization. The survey commissioned by the Department for Culture, Media and Sport, as part of the National Cyber security Program, found that only half of all firms surveyed had implemented basic security controls across five major areas laid out under the government-backed Cyber Essentials Scheme.
Those who did manage to detect the breaches in the past 12 months had to incur an average estimated cost of £3,480 ($5,020). The number for large firms was much higher at £36,500. Digital Economy Minister Ed Vaizey termed the breaches worrisome and said
The UK is a world-leading digital economy and this government has made cyber security a top priority. Too many firms are losing money, data and consumer confidence with the vast number of cyber-attacks. It’s absolutely crucial businesses are secure and can protect data.
The survey also reveals that 7 out of 10 attacks on all of these firms could have been prevented. One of the reasons for this seems to stem from the fact that while 53% of all businesses in the country consider online services to be a core part of their offering, only a fifth of them have a clear view of the dangers of sharing information with third parties. Surprisingly, fewer (34%) have rules specifically catering to personal data encryption, which has been the chief cause of various high-profile cyber security breaches recently.
The survey shows that while medium and large businesses have more sophisticated approaches to such breaches, they are also the ones who are most vulnerable. To improve their defenses, they need to implement stricter data encryption rules, offering training regarding such instances to staff and also use their market position to raise standards among smaller suppliers. The government is investing £1.9bn over the next five years to tackle and prevent cybercrime, and a new National Cyber Security Centre will offer security support. Also, a Britain’s national cyber security strategy will be published later this year, setting out proposals to improve online security for the government, among businesses and for consumers.
A quick review around the world shows that 63% Australian business may have been hit by at least one security breach, but that is not too bad compared to India (94%), Malaysia (89%), Thailand (88%), Brazil (87%) and Mexico (87%). Japan had the lowest break-in rate at 39%. Cyber-savvy non-executive directors are key to changing Board mind-set, say APMG International and Templar Executives
Too many board decisions are being made without considering cyber security, leaving companies open to increased information risk and threats. The cyber security training and certification firms have called for a serious shake-up to traditional Board meetings and for non-executive directors to hold directors to greater account for their cyber decisions.
APMG warned earlier this month that understanding cyber security and acting on it has now become part of a Board member and non-executive director’s legal duty of care to a company. However, both firms claim that today an alarming number of Board decisions are made without looking at them through a cyber security lens.
Andrew Fitzmaurice, CEO of Templar Executives, award winners of the ‘Best Cyber Security Firm 2015′ says
Up until this point, the building blocks of decision making have typically omitted the cyber security threat landscape. While there is an argument to say that this is verging on corporate negligence, it is just a symptom of routine; the Chief Information Security Officer might come to the Board meeting twice a year to give a briefing that few understand. This needs to change. The cyber security threat landscape is too complex, fast-paced and important for Boards to ignore. This is a leadership and business issue. Boards must accept accountability and proactively foster a positive and holistic cyber security culture incorporating governance, policy, people and processes, as well as technology – so good practice becomes the norm.
“The most successful Boards start every meeting with a quick dashboard of the cyber security threat landscape and how they are doing, as well as the level of maturity to prevent and defend against attacks. From this point on, the company is in a position of strength to make decisions, with improved confidence, to meet business outcomes,” he said.