Many UK businesses have no formal plan to protect their business from a cyber-attack and the number of companies preparing themselves has not improved from a year ago. This is according to a report from the Institute of Directors and Barclays.
Although almost all companies (94pc) think security of their IT systems is important, only half (56pc, according to a survey of 845 members of the IoD in December 2016) have a formal strategy in place to protect their devices and data, unchanged in the last year (from 57pc, according to a survey of 980 members in December 2015). The report, Cyber security: Ensuring business is ready for the 21st century supported by Barclays, shows that despite a number of high-profile cyber-attacks over the last year, more than a third (37pc) of IoD members lead or work in organisations without a formal cyber security strategy, and worse still, in the event cybercrime was to hit their business, 40pc would not know who to report it to.
The new EU General Data Protection Regulation, which comes into effect by May 2018, will make companies much more accountable for their customers’ data. The IoD and Barclays are urging business leaders to step up their preparations now. The IoD and the bank point to the founding of the National Cyber Security Centre. By bringing together several agencies, and placing the centre within GCHQ, the UK authorities are well-placed to detect and understand cyber threats, the report suggests. For businesses, however, ultimate responsibility will always lie in the boardroom. The report suggests nearing half of UK firms (44pc) don’t have any cyber awareness training for their employees. The IoD is calling on companies to increase cyber training for directors and employees, and run attack simulations.
Stephen Martin, Director General of the Institute of Directors, said: “The UK is a leader in the digital economy, but if we are to build on our existing strengths and capitalise on new technologies, we have to go into the future with our eyes open to the risks. This report has revealed that business leaders are still putting cyber security on the back burner. The results, even for small and medium-sized businesses, could be catastrophic. With threats evolving all the time, and demanding new regulations just around the corner, we cannot afford another year of complacency from business. Now is the time for firms to test their defences and make sure all of their employees, including management, have the right skills and knowledge on cyber security. This isn’t an IT issue, it’s a business survival issue.”
And Adam Rowse, Head of Business Banking at Barclays, said: “In this digital age, cyber security should be a priority for every single business. More must be done to help businesses recognise the threat an attack could have not just on their bottom line, but to their reputation or even future existence. Keeping customers’ data safe and secure is a legal responsibility so they need to prepare for the unforeseeable. SMEs need a strategy in place to weather cyber-storms- a head in the sand approach won’t do. This could include a resilience plan raising staff awareness of the common types of attack, investing in up to date software protection and knowing who to report the crime to if the unexpected occurs.”
Comments
Richard Brown, Director EMEA Channels and Alliances at Arbor Networks, said: “The fact that more than a third of UK businesses lack a formal strategy against cyber-attacks is shocking. Attack methodologies are evolving by the day and as such, it is no longer acceptable for businesses to be complacent about their cyber security strategy. Businesses must take the fight to cyber-criminals with improved intelligence sharing and better co-operation with law enforcement. Organisations should also instrument their internal networks so that they have broad and deep visibility of network traffic, threats and user behaviour.”
And Tony Pepper, co-founder and CEO of data security product company Egress, said: “It seems astounding that despite the numerous very high profile breaches in recent memory, just over half have a strategy in place to deal with cyber security. It’s difficult to understand why, given the plethora of tools, advice and warnings that are out there, businesses are still so unprepared. Stephen Martin is right when he says that ‘this isn’t an IT issue, it’s a business survival issue’, but it also goes further than that. At its foundations, cyber security is a human issue. While putting the right technology in place is an important factor, this should go hand-in-hand with the ‘human element’. This includes training and incentivising staff to use data security solutions, as well as predicting where they will fall short and shoring up any gaps where human error might creep in. Social engineering isn’t a popular attack method for nothing – it’s because cyber criminals know humans are easy to manipulate into clicking the wrong link or accidentally sending the wrong attachment to the wrong person.
“On top of this is the fact that almost every major story about data breaches focuses on hackers using sophisticated techniques to cripple a company – as in the case of Yahoo. While clearly this is an issue for many companies, the reality is that 48 per cent of records are breached due to accidental loss – not a malicious external hacker forcing their way in – so employees, directors and boards need to be better equipped to deal with all forms of data risk. Not just those that make the scariest headlines.”
