According to the Cyber Security Breaches Survey carried out on behalf of the UK Government almost 70% of UK businesses suffered virus, spyware or malware attacks in 2015. Concluding that that businesses must do more to protect themselves against cyber attacks the report says that the most common attacks could have been prevented using the Government’s Cyber Essentials scheme. This is a damning statement from the government who claims to have already invested £9.1bn to protect UK industry.
A statement from Minister for the Digital Economy Ed Vaizey said: “The UK is a world-leading digital economy and this Government has made cyber security a top priority. Too many firms are losing money, data and consumer confidence with the vast number of cyber attacks. It’s absolutely crucial businesses are secure and can protect data. As a minimum companies should take action by adopting the Cyber Essentials scheme which will help them protect themselves.”
Companies unprepared for a cyber breach
Coming before the impending arrival of the EU GDPR this survey should cause significant unease in boardrooms. It highlights that 25% of large firms experience a breach at least once per month. How serious those breaches were and what data was lost is not given. The survey does say that the cost of rectifying a breach has increased. Those costs will climb substantially when the GDPR comes into force with fines of up to 5% of global turnover a realistic possibility for the most serious breaches.
In the last two years boardrooms have been approving increased budgets to protect data. Unfortunately the survey claims that only 50% of companies have take any recommended actions to identify and address vulnerabilities. This raises the spectre of Chief Information Security Officers (CISO) having to explain where all that money has gone.
Where it hasn’t gone, according to the survey, is into processes and policies. Shockingly only 33% of companies have cyber security polices and only 10% have an incident management plan in place. One of the requirements of the GDPR is for mandatory breach notifications. Failure to do so will incur fines on top of those for the loss of data.
Incident management plans are more than just notify the relevant authorities of a data breach. They cover how the business will recover from an incident be that fire, theft or a cyber attack. This makes them fairly complex and there is a need for everyone involved, especially those charged with dealing with the media, to understand what is involved and to have a coordinated message. We’ve seen examples in the past where reputational damage can lead to the loss of a business and for companies listed on the stock exchange there is also the risk of a shareholder revolt and even a lawsuit for negligence should share prices be badly damaged.
This survey paints a poor picture of the state of cyber security defences inside British companies. Are things as bad as the headline numbers say? In many cases no. A lot of money has been invested in beefing up cyber security but there is always more to do. What this survey suggests is that while money is being invested there is a lack of direction on how it is spent and what it is intended to deliver.
The call from the UK Government for businesses to do more to protect themselves is a warning. If they don’t, they will find themselves failing short of the requirements of the GDPR and the fines alone could do far more damage than the actual loss of data. Worse still, inaction could spur regulators into creating more legislation that will cost money to implement and police. In the end businesses need to up their game or face the consequences.