The most recent high profile victim of a cyber attack, the credit reference agency Equifax, has had to revise upwards to 694,000 the number of UK customers affected by the theft of personal data between May and June earlier this year.
The company’s chairman and chief executive, Richard Smith, has resigned and the Financial Conduct Authority has announced an investigation into the circumstances surrounding the breach.
The incident has resulted in the loss of data, unhappy customers, brand reputational damage and, no doubt, a detrimental impact on the day to day running of Equifax, in the aftermath of the unwelcome attack.
Without doubt, all of these adverse factors could inflict a business of any size, unfortunate enough to find themselves confronted with a severe cyber event.
The cyber security breaches survey identifies four particular types of breaches:
- Staff receiving fraudulent emails.
- Viruses, spyware and malware.
- People impersonating the organisation in emails or online.
Whilst these breaches emphasise the need for technical expertise and software protection, the link with human behaviour is also evident, with staff unwittingly opening emails containing malicious links or impersonating a colleague.
One in five of all UK businesses have experienced an attack resulting in a material disruption, such as the temporary loss of access to files and networks, damage to software and systems and their website either crashing or slowing down.
Amongst the businesses who did suffer a breach, the costs associated with the clean up after the event varied by business size.
As you would expect the cost was higher for larger businesses which had more sophisticated systems to repair and extra staff involved in the recovery process.
|Business size >||Small/Micro||Medium||Large|
In one case study featured in the survey, a department head and a senior manager within an engineering firm ignored advice from the IT department not to map network drives on to their local laptops. They subsequently inadvertently downloaded a ransomware virus.
The mapping allowed the virus to spread across the whole server, rather than just being isolated to the single device. The backup files from Microsoft were only restored a full week later, meaning the business could not access files previously stored on the server during that time.
Investment in Cyber Security
The potential harm is encouraging businesses to spend significant sums on cyber security with the mean spend of small and micro businesses standing at £2,600, with £15,500 and £387,000 the equivalent sums for medium and large businesses.
The average investment in the last financial year by the top 5 business sectors was:
- Information/Communications/Utilities £19,500
- Finance/Insurance £9,650
- Transport/Storage £6,040
- Admin/Real Estate £5,930
- Professional/Scientific £5,220
What is the Government doing to help?
A five year National Cyber Security Strategy has been developed by the Government, with £1.9bn available to build sophisticated deterrences and systems over the same period. The strategy is available on GOV.UK and can be viewed here
The strategy is built around a vision that aspires to the UK being secure and resilient to cyber threats, prosperous and confident in the digital world.
Part of GCHQ, the newly opened National Security Centre is going to be the authority on the UK’s cyber security environment, sharing knowledge, addressing systemic vulnerabilities and providing leadership on key national cyber security issues.
Then there is the Government backed CYBER AWARE initiative which encourages the adoption of key behaviours by businesses, so they are more resilient against the cyber threat. The Cyber Essentials Scheme is a useful starting point with lots of advice on how to address the basics and to get protection in place.
Here are some straightforward tips to consider now:
- Install the latest software and app updates as soon as they appear.
- Use strong passwords made up of at least three random numbers, alongside upper and lower case letters.
- Delete and do not open suspicious emails.
- Secure tablets and smartphones with a screen lock.
- Do not use public WiFi to transmit sensitive information.
- Always back-up important data.
- Train your staff.
- Follow @CyberAwareGOV and @CyberProtectUK on Twitter for regular news.
The National Security Centre has produced a document specifically for small businesses which is available here
With 3 in 5 businesses considering online services to be a core part of their offering and the increased prevalence of employees using their own devices for regular work, the scope for a data breach is a real threat.
Author: Guy Smith, Head of Technical Research