The British Chambers of Commerce (BCC) has published the results from its recent digital survey. They show that one in five businesses (20%) have fallen victim to a cyber-attack in the past year. The survey included 1,285 businesses across the UK and took place in January 2017. This is the latest release to come out of the survey, the full details of which are not publicly available.
The press release included a statement from Dr Adam Marshall, Director General of the British Chambers of Commerce (BCC). In it he said: “Cyber-attacks risk companies’ finances, confidence and reputation, with victims reporting not only monetary losses but costs from disruption to their business and productivity. While firms of all sizes – from major corporations to one-man operations – fall prey to attacks, our evidence shows that large companies are more likely to experience them.”
Businesses relying on third-party support
There is a distinct skills gap when something goes wrong. According to numbers from the survey, 63% rely on their IT providers when they come under attack. The problem with this approach is the time delay between attack and response. It also confirms other reports that show businesses are abdicating responsibility for IT security. While there is a case for small businesses, mid-sized and large businesses cannot rely on someone else.
The slow response rate when relying on a third-party does not help reputation. It also assumes that IT suppliers are themselves capable of dealing with a cyber-attack. There is no evidence that a lot of small IT shops are any better than their customers in this respect. Like their customers, they have limited skills and funds which means skilled IT security staff are outside their budget.
When it comes to very large institutions such as banks and financial institutions, only 12% rely on outside help. Part of this will be their ability to attract and retain key security staff. There will also be regulatory issues at play as well. These will dictate the need to control access to systems and maintain high levels of security. Reputation management and incident response are also activities practiced by large enterprises. As such, when they are breached, they are able to respond to the attacks.
BCC worried about the lack of security accreditation
One of the key issues that the BCC calls out is the lack of cyber security accreditation among businesses. Less than a quarter (24%) have any cyber security accreditation. Unsurprisingly the lack of accreditation is higher among smaller business. Just 10% of sole traders have any form of cyber security accreditation. That rises to a whopping 15% for businesses with up to 4 employees. Even among businesses with over 100 employees only 47% have any form of cyber security accreditation.
This is not only poor but raises questions as to the success of the UK Government sponsored Cyber Essentials programme. This programme is relatively simple and it is hard to see how any business can fail to reach the minimum level required to be accredited. It costs at least £300 for the basic Cyber Essentials and much more for Cyber Essentials Plus. For many sole traders and small business this cost is likely to be one reason for not seeking accreditation.
This is something that the BCC and the new National Cyber Security Centre (NCSC) need to deal with. The BCC could help develop workshops for its members. These would raise awareness and provide guidance on how to prepare for accreditation. The government also needs to think about how it can help reduce the cost. Having outsourced the whole process it could consider a business tax credit for sole traders and small business to cover the cost of Cyber Essentials.
This is just the latest survey showing how poor cyber security is among UK businesses. The longer it takes to effectively address the problem the worse it will get. There are ways to help improve the situation but it requires support from central government and industry bodies. That support is not there and there is no sign of it coming.
This is not just an issue for smaller companies. Many are part of the supply chains that larger organisations are building. The IT systems of customers, partners and suppliers are becoming ever more integrated. If the cyber security of small businesses is not dealt with they will continue to be the weak link in any organisations cyber security.
To protect themselves larger businesses will have to start making hard choices. They may start demanding proof of cyber security accreditation from their suppliers and customers. It is also reasonable that they will want proof of cyber insurance to protect themselves from a breach caused by a third-party. This is not unreasonable. A number of recent high profile attacks on cloud-based systems such as Apple iCloud came from insecure third-party systems that were breached.
The EU General Data Protection Regulation (GDPR) goes live in 2018. A failure to act now could leave many business owners facing crippling and even business ending fines.