Cyberthreats are increasing. It was recently reported that risk has soared 235 per cent in the last year, with small businesses most vulnerable to cyber-related attacks. Experts have been raising their voices to urge all businesses to ramp up their security defences as the overarching financial cost of breaches has been seen to grow in line with increasing threats.
A recent Hiscox study involving more than 5,400 small, medium and large businesses across seven countries found that 55 per cent of UK firms had faced an attack in the past 12 months - up from 40 per cent last year. But despite this, it was also revealed that UK respondents had the lowest cybersecurity budgets of the markets surveyed - spending less than $900,000 compared to the average of $1.46m invested by businesses in other countries.
While larger organisations and certain sectors - namely finance - are beginning to recognise these risks and act, smaller to medium-sized businesses across the board are still a few steps behind. In the last three months alone, we have seen over 50 smaller businesses across a range of sectors accidentally leaking information that cybercriminals can access and abuse. This can have disastrous consequences to the value of a company, so naturally, protection against breaches should be a key business objective.
‘All the gear and no idea’
Although it’s clear that more needs to be done, IT managers are attempting to invest the best infrastructure they can within the means they have to protect their business. Cybersecurity is an issue that requires the involvement of all staff from every department, junior to senior - tools alone can only do so much. A government report released in March found that fewer than one in five boards can claim to understand the impact of loss or disruption associated with cyberthreats, despite 96 per cent having a cyber security strategy in place.
These statistics are somewhat concerning as the board’s approach and employee attitudes to cybersecurity are as important as the infrastructure put in place to protect the business. Non-IT staff and board members appear to have an ‘all the gear and no idea’ mentality – while it’s positive that IT teams are investing what they can into the right technology, it means very little if nobody in the wider business understands how to keep the company’s data safe.
Proactive cybersecurity protection.
Unfortunately, problems tend to stem from a lack of awareness borne outside of the workplace, with staff’s poor approach to cybersecurity seeping into their habits in the workplace. According to our data, people are still failing to learn how to spot basic phishing emails and interact with scams widely known - the TV Licensing phishing emails for example. We also find that too many consumers fall into the trap of thinking that having antivirus offers them all the protection they need – rather than feeling self-sufficient and armed with the knowledge that will protect them from social engineering scams.
However, the risks associated with this can be mitigated by taking a few simple steps to ensure that an individual’s cyber-habits are hygienic and extend to the workplace, protecting the entire network. Regular training, for example, should be implemented so that everyone associated with the company is trained in vigilance and pre-empting cybersecurity threats. The threats they typically need to be most conscious of are risks that attempt to infiltrate the business’s safety from the outside. Human beings are often better than machines when it comes to detecting and understanding complex threats. For instance, something like a socially engineered phishing scam may have all the cosmetic and technological components that make it seem legitimate – but it’s often human suspicion that prevents someone from falling victim to the scam
Likewise, due diligence also needs to be ingrained into company employees when they are dealing with third parties. Companies are increasingly being held responsible for the actions of suppliers and vendors. The IT department and the rest of the business therefore need to co-operate to identify the third parties that pose the most risk – including how they collect data, their GDPR compliance, whether the data is stored on cloud-based systems or within a secure server as well as whether they have a sufficient cybersecurity rating.
In addition to this, regular cybersecurity performance tests can help enterprises keep track of their security credentials, which in turn, will help to inform digital decisions going forward.
It’s important to note that building and reinforcing a resilient cybersecurity strategy lies in regular education of all employees and equipping them with the knowledge and tools to detect and prevent attacks. Whilst there are continuously improving regulations, businesses and consumers need to be confident that they are each playing their part in protecting their data and combating cybercrime. Even with the smallest of budgets, training staff and maintaining a good understanding of cybersecurity is the least anyone can do.
Andrew Martin, CEO, DynaRisk