Startling new Government research claims that two out of three bosses at the UK’s biggest companies have not been trained in how to tackle cyber-attacks, with a worrying 10 per cent of large businesses not even having a plan in place to respond to a cyber incident. This is despite more widespread news coverage than ever before on a seemingly never-ending list of high profile cyber-attacks, such as the 2015 hack on TalkTalk or this year’s Ransomware attack on the NHS.
Back in November 2016, in an attempt to mitigate the dangers of these increasingly prevalent cyber-attacks, the government announced a £1.9 billion investment to help UK businesses protect themselves. However, as this research shows, more needs to be done. Matt Hancock, the government’s digital minister said of the results “Recent cyber-attacks have shown the devastating effects of not getting our approach to cybersecurity right. These new reports show we have a long way to go until all our organisations are adopting best practice.”
Not if, but when
The unfortunate truth for UK businesses regarding suffering a cyber-attack is that it is not a matter of if, but when. Thankfully, many boards now realise this, with more than half of respondents to the research saying they consider cyber-attacks to be one of the biggest risks they now face. Driven mainly by the threat of huge fines from the likes of the GDPR regulation and others hanging over them, boards are now putting increased pressure on their IT departments to ensure their networks are robust to a cyber-attack.
Today, the board has a responsibility to take appropriate steps to keep their company safe. With the imminent GDPR regulations and their punishing fines coming into force in May 2018, taking appropriate steps to protect data and its transit is now critical; especially if you hold a lot of user identifiable information.
The days where simply having a firewall would provide suitable protection for a company have long since passed. Boards now need to look at a mixture of proactive security measures that ensure frequent reviews of security related logs (most applications create a list of failed logon attempts and other activities which could show an emerging cyber-attack), and perform regular vulnerability scanning to highlight possible points of weakness.
Safety in numbers
At the very least, the board should have a regular agenda topic during board meetings on reviewing security and establish suitable indicators to determine the level of risk within the company and what level is acceptable. However, it is far better to get cyber awareness buy-in from top to bottom throughout the organisation. One of the most effective ways to do this is to involve multiple areas from the business in a security sub-group and task them with educating those around them on the dangers of the various emerging modern-day cyber-attack vectors.
This security sub-group should meet regularly to review potential security issues to ensure the right focus is placed internally on security related issues. They should also drive forward the drafting and adoption of a company-wide cyber security strategy. This consists of a set of best practices that covers every eventuality and is distributed to all employees across the company to raise awareness of potential issues and what everyone’s role is in the event of an attack. For these strategies to be truly beneficial, each one needs to be specifically tailored to the nature and needs of the business it intends to protect; simply taking someone else’s strategy and swapping the names around will not yield any positive results.
According to the Information Commissioner’s Office (ICO), human error accounts for the majority of data breaches, whether that’s through social engineering, clicking on a link in an email or downloading something off the internet. It is, therefore, important that everyone within the organisations knows their Ransomware from their Phishing attack.
Time to be proactive
In the past, many organisations’ approach to cyber security was simply a reactive one. They only did something once they had experienced a breach and until then would blissfully bury their heads in the sand. However, with research finding that just under half (46 per cent) of all businesses in the UK have detected at least one cyber-attack within the last 12 months, they need to be more proactive. Further, of those businesses that had admitted detecting an attack, over a third (37 per cent) said they typically experience an attack at least once a month, while over one in ten (13 per cent) said they now come under attack every single day.
While the tides have certainly changed regarding acceptance that cyber-attacks are now almost inevitable, security is at the top of almost every organisation’s agenda, and budgets have become larger, there is still a lot more that needs to be done for companies to take a truly proactive approach to cyber security.
Time to mitigate the risk
Businesses need to adopt a proactive approach towards cyber security. It wasn’t too long ago that many could afford to simply sit back and wait for an attack to present itself before considering the most appropriate way of dealing with it, but that simply isn’t possible now: the threat is too great and the consequences too severe. All businesses – no matter their size or sector – need to transition from an ‘if’ to a ‘when’ mindset, which involves proper preparation and comprehensive planning for all potential scenarios.
Successful cyber security requires a multi-layered approach and is constantly evolving to meet the needs of the business and address the changing threat landscape. A large part of this includes involvement and buy-in from the entire organisation, as well as a significant focus on mitigating the risk of human error through programmes such as user education. As cyber-attacks grow in both sophistication and frequency, these steps have an increasingly important role to play in protecting the business and helping mitigate risk.