igor - Fotolia
Out of the 20% of UK businesses hit by cyber attacks in the past year, 42% were companies with more than 100 staff, compared with 18% with fewer than 99 employees, according to the survey of more than 1,200 businesses by the British Chambers of Commerce (BCC).
The results indicate that 63% of businesses are reliant on IT providers to resolve issues after an attack, compared with just 12% of banks and financial institutions and 2% of police and law enforcement organisations.
The findings show that while 21% of businesses believe the threat of cyber crime is preventing their company from growing, only a quarter of businesses have cyber security accreditations in place, such as the UK government’s Cyber Essentials Scheme or ISO 27001.
Smaller businesses are far less likely to have accreditation, with 10% of sole traders and 15% of those with 1 to 4 employees having accreditations, compared with 47% of businesses with more than 100 employees.
Of the businesses that do have accreditations, nearly half believe it gives their business a competitive advantage over rival companies, and a third consider it important in creating a more secure environment when trading with other businesses.
“Firms need to be proactive about protecting themselves from cyber attacks,” said Adam Marshall, director general of the BCC.
“Accreditations can help businesses assess their own IT infrastructure, defend against cyber-security breaches and mitigate the damage caused by an attack,” he said.
Marshall said accreditations can also increase confidence among the businesses and clients that organisations engage with online.
He said businesses that use personal data should be mindful that they will have to comply with the General Data Protection Regulation (GDPR) from 25 May 2018.
Read more about GDPR
- Businesses dealing with EU citizens’ data urged to ensure they are on track to comply with the GDPR in less than 16 months, as the world marks Data Protection Day 2017.
- The Information Commissioner’s Office (ICO) has set out its plans for publishing guidance on the EU General Data Protection Regulation (GDPR).
- Business demand for consumer identity management capability is growing to enable new business models and improve customer engagement.
“This will increase their responsibilities and requirements to protect personal data, and firms that don’t adopt the appropriate protections leave themselves open to tough penalties,” said Marshall.
In October 2016, the Payment Card Industry Security Standards Council (PCI SSC) warned that UK businesses could face up to £122bn in penalties for data breaches under the GDPR, which will introduce fines for groups of companies of up to €20m or 4% of annual worldwide turnover, whichever is greater – far exceeding the current maximum of £500,000.
Using UK data breach statistics for 2015 and a maximum fine of 4% of global turnover, the fines paid to the European regulator could see a near 90-fold increase, from £1.4bn in 2015 to £122bn, the PCI SSC calculated.
Commenting on the reliance of most UK companies on IT support providers to resolve cyber attacks, Marshall said more guidance from government and police about where and how to report attacks would provide businesses with a clear path to follow in the event of a cyber-security breach, and increase clarity around the response options available to victims.
Read more about the NCSC
- The National Cyber Security Centre is unashamedly ambitious in aiming to make the UK the safest place to do business online, which chief Ciaran Martin sees as an achievable goal.
- The UK’s NCSC and NCA publish a joint report on the cyber threats facing UK businesses, outlining the best response strategies.
- The NCSC has the right pedigree to coordinate and balance the cyber security efforts of government, industry and academia, says GCHQ director Robert Hannigan.
However, the report said UK businesses should not be defeatist. There are ways of mitigating attacks, the report said, adding that the NCSC is working with government agencies, tech companies and industry to fix some lower-level threats automatically and at scale to enable information security professionals to focus on the most damaging threats.
The report also said businesses should improve basic defences. Cyber attack is inevitable, the report said, adding that even basic cyber defences can protect against most of the attacks affecting businesses and that weak defences are likely to invite repeated attacks.
Businesses should handle all data assets as potential targets because there is a market value for all data that can be exploited by criminals, the report said. It also recommended promoting awareness of stronger basic “cyber hygiene” to customers and employees.
Businesses should be more open to sharing knowledge and expertise, as all businesses can benefit from doing so in a secure, confidential and timely manner through services such as the Cyber-security Information Sharing Partnership (CiSP), the report said.
Developing cyber skills and awareness was another key piece of advice. Partnership work between law enforcement and industry, the report said, has led to the improvement of cyber knowledge for the wider public and industry.
Finally, businesses should report the crime to Action Fraud. If cyber attacks are reported, the report said law enforcement agencies can investigate, arrests can be made and preventative actions can be taken.