A "sizable proportion" of businesses have still not put in place basic protection and policies to protect themselves from attack.
That’s one of the conclusions of a newly-published UK government survey which uncovered that 46% of all UK businesses had “identified at least one cybersecurity breach or attack in the last 12 months.”
Before you feel smug that your business is doing everything it should to thwart online criminals, ask yourself honestly if you can count your company in the following categories:
- Under two-fifths of companies have segregated wireless networks, or any rules around encryption of personal data (37% in each case).
- A third of companies have a formal policy that covers cyber security risks (33%), or document these risks in business continuity plans, internal audits, or risk registers (32%).
- Less than a third of business (29%) have made specific board members responsible for cyber security.
- A fifth (20%) of firms have had their staff attend cyber security training in the last 12 months – with non-specialist staff particularly unlikely to have attended.
- One-fifth (19%) of businesses are worried about the computer security of their suppliers, but a mere 13% require suppliers to adhere to specific cyber security standards or good practice.
- A mere one in ten (11%) have a management plan in place in the case of a cyber security incident.
Statistics suggest that – more likely than not - the company you work for is failing to reach at least some of these standards.
The Cyber Security Breaches Survey 2017, based upon a three month study of 1,523 UK businesses, found that the larger your organisation the more attacks you experience.
The most commonly reported breaches involved staff receiving fraudulent emails (72%), malware attacks (33%), impersonation of the organisation via email or online (27%), and ransomware (17%).
And even though attacks can frequently have a financial impact on business, external reporting of incidents remains uncommon.
According to the report, only a quarter of business victims reported their disruptive breach to anyone other than their security vendor.
“The findings suggest that some businesses lack awareness of who to report to, why to report breaches, and what reporting achieves.”
That statistic disturbs me, because if we fail to report computer security breaches appropriately, how can we hope to measure if businesses are doing a better or worse job of protecting our personal information?
Furthermore, how are the authorities supposed to determine if more money needs to be invested in educating industry in how to better defend against attacks, and providing more resources to law enforcement agencies to catch those responsible.
Although this particular survey focuses on UK businesses, there is no doubt that the problem is a global one – affecting organisations of all sizes and sectors.
More firms are waking up to the importance of effective computer security, and have seen the financial and reputational damage that can occur when a hacker manages to breach their systems.
It feels to me that the rise in prominence of ransomware in the last couple of years has particularly raised helped to raise awareness inside businesses of the threat, and made network security a more urgent issue in the boardroom.
And yet too many companies are still failing to take the most simple steps to reduce the chances of a successful breach.
IT security isn’t just a technical problem. It’s actually primarily a human problem. Some of the most commonly encountered attacks can be countered by having a skilled workforce who have been trained in what to look out for, and to contact their IT helpdesk if they think they’ve spotted something suspicious.
By raising awareness of threats, by educating staff as to what to look out for, by preparing for an incident before it occurs, and putting sensible defences in place to reduce their impact, you can dramatically reduce your company being the next statistic.