Cyber risk stalks ALL industries regardless of size
Posted on 26th July 2021 by Phil Ainley MCIM, CMktr, Dip DigM
Cyber – adjective
Relating to or characteristic of the culture of computers, information technology, and virtual reality.
Cyberattack – noun
An attempt by hackers to damage or destroy a computer network or system.
Cybersecurity – noun
The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this
Insurance – noun
An arrangement by which a company or the state undertake to provide a guarantee of compensation for specified loss, damage, illness, or death in return for payment of a specified premium.
A thing providing protection against a possible eventuality.
With the increasing level of connectivity and use of technology across ALL industries, comes the ever-present risk of sophisticated cyber-attacks.
For all the benefits that increased connectivity and improved technology brings, it cannot be ignored that it creates greater vulnerability to cyber-attack, which leads to increased stress, potential loss of revenue, expensive IT fixes and a whole host of other potential problems for businesses.
Who is at most risk from a cyber-attack?
While bigger businesses are perceived to be most at risk, and because of this invest the most on cyber security, a recent report by Business In The Community has found that smaller businesses could be the most vulnerable to cyber-attacks.
The BITC report states that small businesses are not investing the same levels of time and money in their own cyber security as their medium to large business counterparts.
This is a big concern from a supply-chain perspective, especially in light of the Ticketmaster data breach in 2018 which showed that smaller, third-party suppliers can sometimes be the cause of cyber attacks and data breaches at larger companies.
The report ‘Would You Be Ready For A Cyber Attack?’ which was commissioned with You.gov is well worth a read.
A recent report on BBC Radio4’s Today Programme, also stated that the proportion of UK firms reporting a cyber-attack so far in 2019 had jumped by 40% despite a lot of businesses admitting they are under-prepared for data breaches.
Are some sectors stronger than others?
As you might expect, some sectors are investing more in their own cyber security than others. BITC’s report indicates that the IT, telecomms and legal sectors are more likely to have invested in cyber than sectors such as construction, transportation and distribution.
Addressing the weaker sectors would help to make the whole supply-chain more resilient from end-to-end. A lack of understanding of cyber and the threats it poses could be a key point as to why investment is lower in these sectors.
The IT and telecoms sectors are reliant on technological systems to function properly, and the legal sector undoubtedly has a great understanding of cyber crime from case histories, law and legislation.
Industries such as construction, who may not have the same level of reliance on technology could be forgiven for not understanding the importance of investing in cyber security when there are likely to be other areas of their business that are more pressing in terms of investment.
With this being the case, education and information is required to ensure the most vulnerable sectors are fully aware of the risks.
Are cyber breaches on the rise?
A Cyber Security Breaches Survey in 2018 by the Department for Digital, Culture, Media & Sport reported that 4 in every 10 businesses and two in every ten charities had experienced a cyber breach in the previous 12 months.
The survey also highlighted that three-quarters of businesses and over half of all charities claimed cyber security was a high priority for their senior management, yet only 27% of business and only two in every ten charities had a formal cyber security policy in place.
What is clear from the finding of both the Cyber Breaches Survey and the BITC Report, is that the rapid growth in technology has left many businesses behind in its wake and those businesses are struggling to catch up.
Has data protection legislation helped?
The panic among businesses surrounding the implementation of GDPR in May 2018 did force many organisations to take stock of their data protection policies and update them, or even create them from scratch.
Yet, according to the BITC Report:
- Only 35% of small and medium size businesses (up to 249 employees) had a basic data protection policy in place.
- 30% of small businesses (up to 50 employees) said they did not have a cyber security strategy.
- Only 23% of small businesses had a policy for controlling access to systems that are limited to certain employees.
- Only 17% of small businesses have someone responsible for cyber security.
- 10% of small businesses had an external communications policy in place should they be victim of a cyber-attack.
- More alarming, was that only 10% of small businesses have an up-to-date cyber risk assessment in place. That means 90% of small businesses do not know how vulnerable their systems are to cyber-attacks.
- 45% of small businesses stated that GDPR had been the main reason for implementing cyber security in the previous 12 months.
What also cannot be proven is how many organisations adhere to their data protection polices and the GDPR. Judging by the raised amount of email marketing campaigns that are based sketchily on ‘legitimate interest’ rather than consent that point could be open for debate.
What is clear is that businesses need to catch up and ensure they are cyber secure and a good place to start with that is to become cyber-savvy.
As with any illness, focusing on preventing a cyber-attack on your organization, will likely be a better policy than waiting for a cyber-attack and then trying to implement a cure.
Key points to help you safeguard your business from cyber threats:
Run a cyber risk assessment
As with most business operations, before you can go ahead with a new initiative you need to know exactly where you are at present. This is your Situation Analysis. Run a comprehensive cyber risk assessment of your business to find out exactly what your strengths and weaknesses are.
Back up your data
A surprising number of businesses do not back up their data. Whether you are a micro business or a large corporate market-leader, it is good business practice to back up your business-critical data on a regular and consistent basis.
Auto updates and auto backups are usually noted as being the preferred way of performing data backups. It is also a good idea to ensure you have more than one backup location such as cloud and an external hard drive that can be taken off-site.
Update your software
Depending on the results of your cyber risk assessment, you may need to update your software. Regular updates will help to resolve bugs and potential weaknesses in your software.
At the very least you should keep your antivirus software, anti-malware and your firewalls up to date. Other software updates to be aware include your company website. WordPress for example, regularly issues updates which you are alerted to in your WP Admin dashboard. You will also be alerted to any plugins installed in your WordPress website that need updating.
Follow the guidance for the National Cyber Security Centre
Cyber Essentials is a great government initiative for you to follow and offer you the opportunity to become cyber security certified. The 5 recommended technical controls you can follow are:
- Secure your internet connection
- Secure your devices and software
- Control access to your data and services
- Protect your business from viruses and malware
- Keep your devices and software up to date.
Update your security policy
The BITC Report recommends you write a company security policy that includes cyber security. This policy needs to be shared with all of your employees, so they are fully aware of their responsibilities and the security measures you have put in place. Internal training for your employees will also help.
Educate and constantly update your employees
As we mentioned in our recent article about cyber security risks on our railways, your staff need constant information, education and training to ensure they adhere to safe cyber practices.
If you employ people, it is your responsibility to ensure they know what to look out for and how to conduct themselves in relation to cyber. This is especially true if your staff are using company mobile devices and company laptops that allow for remote access to your systems.
Alarmingly, on Page14 of the BITC Report, 34% of small businesses stated that they didn’t think it was necessary to provide their employees with cyber training. Retail (46%), hospitality and leisure (40%) and education (33%) were the sectors most likely to think it is not necessary.
Yet these sectors are hugely reliant on gathering personal data for their marketing, so they should be the most likely to provide employee cyber training.
Protect your business with cyber cover and commercial crime insurance
Cyber insurance has now become a vital policy for the business world, yet a lot of businesses are slow on the uptake because they see it as an extra cost rather than a sound business investment.
Cyber insurance will complement your good cyber practices and will provide you with peace of mind that any disruption you experience in the event of a cyber-attack will be limited.
It is important to note that a Cyber Insurance policy may not cover you for all commercial crime, so it is important to take out a Commercial Crime Insurance policy as well.
For further details about Cyber Insurance and Commercial Crime Insurance contact us on 0333 321 1403.
Article first published 3 Jun 2019
Back to News