ACCORDING TO the government’s 2013 Information Security Breaches Survey, an unprecedented number of cyber attacks are experienced by UK businesses. A staggering 93% of large organisations (employing 250 or more), and 87% of small businesses (under 50 staff) have fallen victim to cyber crime over the past year.
While the proportion of large organisations reporting security breaches remains consistent with 2012, 11% more small businesses appear to have suffered third-party hacking. The increasing number of businesses failing to protect their data is a concern, as is the spiralling number of breaches each will experience.
The survey advises 50% more breaches, on average, have occurred. For large businesses, the median figure is 113, for their smaller counterparts it’s 17; up from 71 and 11 a year ago. The associated costs are rising too – large companies can expect to pay between £450,000 – £850,000 for their security lapses; smaller companies face a £35,000 – £60,000 bill.
So what’s behind one of the biggest emerging threats to UK businesses? Whereas once it was attributed to criminals, hacktivists and competitors, the survey suggests in-house technology, processes and people are increasingly likely to inadvertently wreak havoc, particularly in small businesses.
Around a third of the worst security breaches of the year for all organisations were caused by human error, with a higher proportion of small businesses (57%) attributing security shortfalls to staff. Nearly one in five (17%) were aware staff broke data protection regulations.
Most respondents, 81%, confirm they’ll continue to prioritise security with promises of extra expenditure, however Survey commentators concede ‘many businesses can’t translate this expenditure into effective security defences’. It highlights how ‘ineffective leadership and communication about security risks often leaves staff unable to take the right actions’ and ‘weaknesses in risk assessment and skills shortages also often prevent effective targeting of security expenditure’.
The survey concludes ‘companies are struggling to keep up to date with security threats and so find it hard to take the right actions’. A fair assumption given technology within businesses constantly evolves (how can you hit a moving target?).
Social networking, smartphones, tablets, cloud computing and portable media bypassing defences are all identified as cyber attack tools so it’s vital firms understand where and how their breaches can occur, implement the necessary security systems and training to reduce the likelihood of an incident and if it does occur, have mechanisms in place for damage limitation and business recovery.
Only 30% of large organisations refer to the government’s ten step guidelines on how to protect a business from a cyber security threat and for small businesses, the survey says the implementation of basic practices is ‘patchy’.
Our own survey underlines this lack of understanding. Small business leaders were asked if they knew what cyber theft was? Only 39% identified it as the stealing of intellectual property or confidential data, the remainder had no idea. Any firm that relies on the internet or undertakes financial transactions electronically is exposed to cyber theft, yet only 6% of respondents felt their business was at risk.
It’s not surprising to find 78% of respondents had no insurance cover for this type of threat and the remainder weren’t sure. Despite insurers being crucial players in the battle against cyber attacks, few it appears are keen to use insurance for damage limitation and that all-important business recovery.
A typical cyber policy in general, will;
• Enable a firm to detect and restore damaged information/communication systems
• Reimburse lost profits following damaged systems or lost data
• Provide access to experts in crisis management, public relations, forensics and security
• Set up a temporary storage facility
• Meet investigation costs and any Government or regulatory-imposed fines
• Pay costs incurred in notifying data protection authorities and clients (in line with new European Data Laws) following a data loss
• Pay for credit monitoring and setting up of a call centre to deal with customer enquiries
• Manage and meet the costs involved with cyber extortion
In its recent ‘Cost of Cyber Crime‘ report, the government estimated cyber crime costs the UK economy around £27bn a year. Businesses paid around £21bn, the Government £2.2bn and citizens £3.1bn. Whatever the business size, we all have a responsibility to reduce the costs associated with cyber crime.
Annie Plaskett is a senior manager at small business insurance specialist, YOUR Insurance