Cyber crime has cost mid-size businesses more than €33 million in the UK in 2018, according to a recently-released report by financial services firm Grant Thornton. More than 500 UK businesses were surveyed as part of the study, Cyber Security: the board report.
More than half the companies who experienced a cyber attack last year reported loss equivalent to between 3% and 10% of their annual revenue, with the hardest-hit reporting up to 25% being lost.
As is often the case, reputational loss was the considered the largest cost on the business, as reported by 58% of respondents. This was followed by remediation costs (45%), management time (44%), loss of turnover (39%) and loss of customers (35%).
Companies not prepared for today’s cyber threats
Despite the seriousness of the costs of suffering a cyber attack, 63% of the companies surveyed said that they did not have a board member who was specifically responsible for cyber security, with roughly the same number stating that their board did not formally review their cyber security risks.
Grant Thornton believes that mid-size firms make particularly appealing targets for cyber criminals as they have more turnover/assets than smaller companies, but do not have the same top-of-the-line cyber security as larger corporations.
“Cyber risk management should be fundamental for every business striving to grow in a connected, digital world, and boards need to recognise its importance. No business – whatever its size or sector – is immune,” according to James Arthur, head of cyber consulting at Grant Thornton.
Thanks to increasingly-sophisticated tools becoming available, cyber criminals can now automate the process of probing online for weaknesses, in order to find the most lucrative targets – allowing them to either sell the information on to other hacker groups or attempt to take advantage of the vulnerabilities themselves.
“It’s the equivalent of thieves driving down a street to see who’s left their door open. Criminals exploit the vulnerable networks they identify or sell the list of promising targets on to others eager to exploit the opportunity. If your defenses are not up to scratch, you could already be on a list,” said Arthur.
“The reality is that it’s not the size or profile of a business that attracts the interest of cyber-criminals. They have increasingly sophisticated targeting tools and are using these to launch an increasing volume of attacks against anyone who looks like they have weak defenses. It’s not personal – it’s just business.”
Staff training better than technical measures alone
The report found that many of these businesses were relying on data backups to provide redundancy in the event of a cyber attack, believing that they could simply roll back time and carry on as usual. However, “with modern ransomware specifically designed to spend up to six months infecting entire networks, including data backups, this cannot be relied upon as a core component of a response plan,” said Arthur.
One often overlooked means of limiting the potential damage of a cyber attack is to have a proper incident response plan in place, so that the organisation can act quickly and efficiently in the event of an attack to minimise damage and restore critical systems as quickly as possible.
“Businesses need to understand where their weak points are in order to counter the threat effectively. Yet our research shows that perceived and actual vulnerability often don’t match up, with many businesses feeling confident in their cyber management capacity but having no meaningful response plans in place. A pre-prepared, effective response plan allows a business to do the right thing as fast as possible, in a situation where every minute counts,” he said.
Lack of security awareness training among staff was also seen as a crucial issue that many mid-size companies failed to address, with only 36% of those surveyed providing all their employees with any kind of cyber security training in the past 12 months.
According to Arthur, ensuring all staff are properly trained, from entry-level employees right up to the CEO, is essential in today’s cyber environment.
“Often, companies make themselves vulnerable to attack simply by failing to get the basics right. Training to raise employee awareness can have a hugely positive impact on cyber security.
“People are often unaware of the important role they play in helping a business to stay protected, so companies of all sizes need to ensure they have regular and ongoing cyber security training in place.”
Good cyber hygiene doesn’t need to cost an arm and a leg
When it comes to protecting your organisation from cyber attacks, Arthur said that there are many organisational and procedural options to reduce risk. The report laid out six key areas which businesses should focus on first and foremost:
- Establishing a cyber incident response plan
- Regularly rehearsing the response plan using a range of different scenarios
- Monitoring and managing the risk posed from their supply chain
- Ensuring they understand the terms of their insurance and what is covered
- Understanding what “normal” looks like for their business, in terms of application usage, so they can identify any unfamiliar patterns
- Investing in regular training and raising their people’s awareness of cyber security
“Effective cyber security does not need to cost the earth and goes beyond simply investing in new technology. There are simple, specific steps companies can take, such as implementing a meaningful cyber response plan and understanding what is normal for their business, to put themselves in a much stronger position.”
Work smarter, not harder – train your staff often for best results
“Cyber risk management should be fundamental for every business striving to grow in a connected, digital world, and boards need to recognise its importance. No business – whatever its size or sector – is immune,” said Arthur.
When it comes to security awareness training, which is also a key tenet of protecting personal data under Article 39 of the GDPR, the frequency of training can also play a big part.
Training staff with several hours of training in a once-off session once a year has been found to be far more inefficient than training which is rolled out on an ongoing basis. Tech Guard finds quarterly training to be the best frequency for most companies, drawing the line between keeping security top-of-mind for staff, without becoming time consuming and detracting from staff’s duties.
Baseline training which covers the basics of cyber security and GDPR awareness, following by short (15 minute) modules rolled out every few months on various topics around cyber security and staying safe online has produced dramatic results, particularly when paired with ongoing simulated phishing attacks.
The combination of regular training and phishing can turn staff into a “human firewall”, whereby they are constantly keeping their eyes peeled for any potentially malicious behaviour online. Phishing users regularly not only helps train staff practically on how to recognise suspicious emails, but also has the additional benefit of documenting over time how an organisation’s risk has decreased, due to their training & phishing program.
Data protection authorities around Europe are particularly strict on documentation under the GDPR, stating that an organisation needs to not only have the appropriate technical and organisational measures in place to protect customer data, but they must also be able to prove it in the event of a data breach – regular phishing does just that, demonstrating that an organisation is proactive and practical about security.
Speak to Tech Guard today to arrange a baseline phishing test for your organisation, or arrange a demo of our Gartner-leading security awareness training platform. Don’t become the next data breach headline.