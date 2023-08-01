Global brands have been on the wrong end of cyber attacks

The UK government recently published findings on cyber security that should provide a wake-up call for businesses.

The Cyber Security Breaches Survey from the Department for Science, Information and Technology (DSIT) sheds light on the current state of cyber hygiene among businesses, particularly small and medium-sized enterprises.

It is evident, and indeed alarming, that there has been a marked decline in some areas of ‘cyber hygiene’ among businesses that warrants immediate attention and action.

Why is it important? Well, you don’t have to delve too deeply to find high-profile incidents of cyber breaches that have garnered headlines, even for some globally recognised brands, for all the wrong reasons.

In June, a major incident caught up organisations as large as the BBC, British Airways, Boots and Aer Lingus.

A malicious ransomware group exploited a vulnerability in file transfer software used by the companies that enabled it to access sensitive employee data.

Last week meanwhile, it emerged that two NHS ambulance trusts in England were left unable to access patient records after they became victims of an attack on a Swedish health tech firm.

The incidents, and countless others like them, are not just embarrassing for the businesses involved but have serious ramifications in terms of costs, continuity of services and reputation, to name a few.

With examples too numerous to mention, it’s clear businesses should be on high alert.

Looking at the DSIT report, it showed that in 2022, 39% of businesses and 30% of charities recalled experiencing breaches or attacks. This year, the figure has dropped to 32% of businesses and 24% of charities.

On the face of it, this may sound like a good statistic. However, the decline in identification may actually be indicative of a shift in the perception of cyber security as a lower priority, with those in senior positions within companies instead focusing on other matters such as inflation or other economic concerns.

However, such an outlook can be detrimental, as cyber threats remain a common menace, regardless of the economic situation. Among the more concerning findings is that smaller organisations are identifying cyber breaches and attacks much less frequently than they had been previously.

And the drop off in cyber security vigilance is more prominent among micro businesses, where cyber security was deemed a high priority by 80% in 2022 but has now reduced to 68%.

To combat the prevailing cyber threats, businesses must adopt a proactive approach to ‘cyber hygiene’.

The decline in certain areas of cyber hygiene, particularly among SMEs, is to put it mildly worrisome. The usage of password policies, network firewalls, restricting admin rights, and timely software security updates for example have all seen consistent declines among businesses over recent years.

To those of us in the industry, these are viewed very much as ‘quick wins’ that can easily be addressed.

It is essential for businesses to identify and manage what may appear as minor cyber risks effectively, particularly as the survey found the single most disruptive breach for the average company last year cost the impacted business around £1,100.

For medium and large businesses, this figure rose to just shy of £5,000.

It’s no surprise that larger businesses are more advanced in their efforts to protect themselves, with a majority now reviewing supply chain risks connected to cyber concerns for example.

However, there is room for improvement across organisations, especially when it comes to cyber risk assessments, deployment of security monitoring tools, and cyber insurance coverage.

Board engagement and corporate governance are also crucial components of a robust cyber security strategy but the government report found that many businesses, even large ones, do not have board members explicitly responsible for cyber security.

It is vital for businesses to bridge this gap and prioritise cyber security at every level, ensuring a holistic approach to cyber defence.

Initiatives such as the government-backed Cyber Essentials scheme which helps businesses assess and mitigate their vulnerability can significantly enhance their cyber defence posture.

It is encouraging to see that a significant proportion of businesses seek external information or guidance on cyber security.

However, the number of organisations adhering to recognised cyber security standards or accreditations, such as Cyber Essentials or ISO 27001, remains relatively low.

By seeking external guidance, adhering to cyber security standards, and continuously improving incident response capabilities, businesses can build resilient defences against cyber threats.

Remember, cyber security is not a luxury — it’s a necessity.

David Armstrong is chief executive of b4b Group