UK government reports on business breaches and it’s not pretty

The UK is about to go into general election mode unexpectedly, so it’s a funny time for its government to be issuing its Cyber Security Breaches Report 2017, which acknowledges that at least 2.5m cyberhacks have happened over the past 12 months.

The report found that just under half of UK businesses (46%) have now gone through some sort of cyber attack, often as a result of malware sent in attachments or clicks through to dodgy sites. What’s more, fewer than a third of UK businesses have a board member specifically tasked with cyber security and a “significant proportion” (the closest the government has disclosed to an actual figure) do not have the basic protections in place.

Losses for large firms can amount to £20,000, which is less alarming than some figures we’ve seen bandied about.

Martijn Verbree, partner in KPMG’s cyber security practice, suggested that the actual number of attacks could be even higher than the reported 2.5m.

The real number of organisations being attacked is likely much higher as most businesses do not bother to report such incidents or at worst, they do not know that they have even been breached.

We are also seeing that attacks are getting more and more personal and sophisticated. Often, attackers use information they can find on social media to make the emails really personal. For example, by referring to names of bosses or other colleagues, or even writing emails that affect the recipient emotionally (“you owe us £xxxx”) – trying to get them to click on links without thinking.

It’s unfortunate, but as a result we expect that the number of such successful attacks will increase in the coming year, especially amongst smaller and medium sized companies that do not have a lot of skills and expertise in cyber security.

Mark James, IT Security Specialist at ESET, saw some positives, however. For one, companies appear to be taking security more seriously:

With the emphasis on prevention and awareness more people are realising they can help and it’s not just the job of the IT department. With so much of our business and personal lives being digital these days we are encountering cyber-attacks in so many more ways, either through our day to-day jobs, social networks, email or web browsing, the attack is relentless.

But this report shows we are seeing signs of increased spending in resources, hiring of experienced personnel and a better understanding of how and why we need to invest today to protect tomorrow’s data, it’s the only way we will win.

Verbree added the usual sensible advice that so often goes unheeded: don’t click on suspicious links, back up so ransomware can’t actually destroy all your data and sign up to government-backed cyber security schemes.

Naked Security owner Sophos had its own perspective. John Shaw, VP Product Management, ESG, said businesses needed to get their business basics under control:

This is partly about investing in better IT security products, such as next generation endpoint protection that can stop ransomware attacks in their tracks, but just as importantly it is about investing time – time for the IT team to put in place the protections that are needed, time for training all staff on cybersecurity awareness especially around email “phishing”, and time for senior management to pay attention to security issues when they do occur.

We admire the work of the new National Cyber Security Centre and their revived “10 steps” programme, but unfortunately as the report shows businesses don’t naturally turn to the government for advice on computing and security. The responsibility has to come down to business leaders who need to pay more attention the IT professionals who work for them and advise them.

The huge cost and disruption that an incident like a ransomware attack can cause should be motivation enough, but to help business leaders focus even more, the advent of the General Data Protection Regulation (GDPR) in May 2018 will mean that organisations will a) face greater regulation around reporting breaches and b) face potentially far greater fines – up to a terrifying 4% of revenues – if their data protection measures are found lacking. It may sound a long way off , but 12 months is not long to get your house in order, and now is the time to start.