Small businesses in the UK are the target of an estimated 65,000 attempted cyber- attacks every day, according to new figures from a study from Hiscox, a specialist insurer.
According to Hiscox, almost one in three (30%) UK small businesses suffered a cyber breach last year – equivalent to over 4,500 successful attacks per day or one every 19 seconds.
The cost of a cyber-attack
Cybersecurity incidents cost the average small business £25,700 last year in direct costs for example to pay a ransom or take remedial actions, but this is just the beginning.
Indirect costs such as damage to reputation, the impact of losing customers and difficulty attracting future customers, remains unmeasured but is expected to have a significant impact.
Massive cybersecurity breaches have become almost commonplace from Facebook to British Airways to Dixons Carphone, all regularly grabbing national headlines. But, for all of the attention generated by these incidents, many organisations still struggle to comprehend the risks of a cyber-attack and fail to prepare adequately.
Most small businesses recognise the threat that cyber criminals pose on a global scale but are less convinced of the risks facing their own operations, considering themselves ‘too small’ to be worthy targets, but this isn’t the case.
Attackers know that SMEs have less money and fewer resources to spend on IT and by targeting them they can bypass inferior security. With small businesses lacking credible cybersecurity strategies to help manage and prevent such attacks however, the impact when they do occur can be disproportionality severe.
Hackers are prolific and sophisticated which makes staying on top of cybersecurity a challenge for many organisations. The majority of cyber-attacks are automated and indiscriminate, exploiting known vulnerabilities with IT systems rather than targeting specific businesses.
The number of incidents is increasing
Businesses in the UK are facing a growing threat of cyber-attacks, with the number of incidents increasing in scale and complexity. As always, criminals continue to target firms for financial gains. The shift from crime to cyber-crime hasn’t changed the "modus operandi", but it has provided these criminals with an additional set of tools to attack businesses.
Yet there is a gap emerging between an evolving threat landscape and the resources organisations are allocating to defend against such attacks.
When it comes to cybersecurity, you’re only as strong as your weakest link - which means any business can be at risk from cyber-attacks targeting system vulnerabilities.
When questioned, only 52% of UK small businesses stated that they have a clear cybersecurity strategy in place to manage the impact of an attack, which Hiscox says can significantly hamper their ability to detect, manage and prevent security breaches, as well as make the overall impact much more severe.
Experts agree that communication during and after a cyber-attack is critical to managing it, yet only 56% can say with confidence that they fully disclose details of a cyber-attack to relevant stakeholders.
This is particularly concerning given the introduction of GDPR in 2018, which requires all organisations to report a data breach to the ICO within 72 hours and notify affected customers without undue delay. There are severe financial penalties to those companies that do not comply with these regulations.
The largest fine to date under the GDPR was $57 million for Google. Recovery from cybercrimes is expensive, but new regulations and fines will raise those costs. With the emergence of stricter regulations regarding consumer privacy and data rights, companies have to be more diligent about managing information.
Most alarming of all, is that the majority (66%) of those that suffered an attack, admit to making no changes to their policies or systems to help prevent further breaches in the future. This is perhaps one of the key reasons why over half (56%) of those who’ve suffered a breach, are the victim of multiple attacks.
The variety and volume of cyberattacks continue to rise, malware and unauthorised access to data remain major concerns, but these persistent threats are joined by growing risks associated with the Internet of Things (IoT) and ransomware.
Human error is more dangerous than hackers
According to Accenture’s 2019 Cost of Cybercrime Study, "Humans are still the weakest link”, as human error is often at fault for exposing sensitive information or undermining internal security practices.
And as software becomes harder for criminals to hack, they are aiming for softer targets by using tactics such as ransomware, phishing and social engineering to gain entry through human error.
Information theft remains the most costly and primary goal of cybercrime, but the data is not the only target. Core information and technology systems, such as industrial controls, are being hacked with the malicious intention to disrupt and destroy businesses.
Only about one-third of companies view security as a threat to business growth, yet companies continue to introduce digital services to boost growth, adding risk or compliance issues that are not adequately addressed in the current security set-up.
In light of the economic ups and downs that businesses are experiencing, it is tempting for companies to support investments that yield quick returns, while delaying expenditure on long-term projects such as enhancing security - for what many perceive as a “small risk”.
The disruption of an ongoing business, loss of information, revenue loss, hardware and reputational damage are the primary "consequences" of cybercrime.
Cybersecurity best practices
Cybersecurity precautions help you to protect your hardware, IT infrastructure, business applications and sensitive data from unauthorised access.
A malicious attack or breach of your IT systems could take place remotely, on third party systems that hold your data, or by employees.
There are a number of basic steps that small businesses can take to help protect against the evolving threat that cyber criminals pose:
• Involve and educate your employees about cyber threats and how to deal with them by creating a cybersecurity plan
• Have a formal process to ensure you have a process or procedure to follow if you find your business under attack with a Risk Management Regimen
• Make sure you integrate cybersecurity training when you on-board new staff and regularly refresh the latest developments for existing employees
• Include as a priority ongoing monitoring of what is happening to your IT infrastructure and networks
• Track incidents and create alerts using both automated monitoring and a manual log managed by staff to flag suspicious activities
• Create a Defence in depth approach to help remedial actions in the event of a breach and also the precautions you need to take to protect your business
• Create a plan for all incidents, from detection and containment to notification and assessment, with roles and responsibilities defined
• Keep in contact with other companies and customers to have on your radar emerging threats and new best practices
• Seek if necessary third-party professional support to assess and execute your cybersecurity planning
Let us at Worktools help you look after your data, your reputation and legal compliance.
As an outside provider Worktools can do initial security assessments and ensure that everything is secure, both locally and through remote access. We can also help create your cybersecurity plan so you know how to prepare and if necessary respond to an incident.
Image source: www.freepik.com