UK businesses are at risk of sleepwalking into a reputational time bomb due to a lack of awareness of how to protect their data assets, according to research by the British Standards Institution (BSI).
As cyber hackers become more complex and sophisticated in their methods, the BSI is urging UK organisations to strengthen their security systems to protect themselves and consumers.
A BSI survey of IT decision-makers found cyber security a growing concern, with 56% of UK businesses more concerned than 12 months ago.
More than two-thirds attributed this to hackers becoming more skilled and better at targeting businesses.
However, while 98% of organisations have taken measures to minimise risks to their information security, only 12% are extremely confident about the security measures their organisations have in place to defend against these attacks.
BSI expressed concern that IT directors appear to have accepted the risks to their data, with 91% admitting their organisation had been the victim of a cyber attack.
READ MORE ABOUT CYBER SECURITY AWARENESS
- PCI security council publishes security awareness guide
- Cyber security awareness still in its infancy, says Sans Institute
- Despite skeptics, security awareness training for employees is booming
- Top firms failing on security awareness training, CISOs reveal
- Developing a compliance awareness training program
- Awareness training not enough, says security researcher
- Target to invest $5m in cyber security awareness
Incomplete security measures
The survey found 49% had experienced an attempted hack and/or suffered from malware, 42% had experienced the installation of unauthorised software by trusted insiders and 30% had suffered a loss of confidential information.
But, despite the confidence in the security measures they have in place, 60% of organisations said they had not provided staff with information security training; 37% had not installed anti-virus software; and only 49% monitored their users' access to applications, computers and software.
However, the survey found that organisations that had implemented ISO 27001, the international Information Security Management System Standard, are more conscious about the risk of cyber attack.
Some 56% of ISO 27001 certified organisations said they were aware of the risk, compared with just 12% of uncertified organisations.
Similarly, 52% of organisations that had implemented ISO 27001 said they were “extremely confident” about their level of resilience against the latest methods of cyber hacking.
“The research reveals that businesses that can identify threats are more aware of them,” said Mike Edwards, information security specialist and tutor at BSI.
“Our experience confirms that organisations with ISO 27001 can better identify the threats and vulnerabilities to their information security, and put in place appropriate controls to manage and mitigate risks.”
Consumers voice data security concerns
According to the BSI, consumers are looking for cyber protection from companies; and the companies in turn need to safeguard themselves and their customer data.
However, research has revealed that consumers lack trust in how organisations handle their data, with a third admitting they do not trust organisations with their data.
On the other hand, the research found a level of acceptance that nothing online will ever be safe, leading to a false sense of security that "this will not happen to me" among those who had not suffered from a cyber attack/crime.
“Consumers want their information to be confidential and not shared or sold, and those who want to be reassured that their data is safe and secure are looking to organisations who are willing to go the extra mile to protect their data,” said Maureen Sumner Smith, UK managing director at BSI.
“Best practice security frameworks – such as ISO 27001 and easily-recognisable consumer icons such as the BSI Kitemark for Secure Digital Transactions – can help organisations benefit from increased sales, fewer security breaches and protected reputations,” she said.
Sumner Smith said the onus is on businesses to take responsibility, if they want to continue to be profitable and protect their brand reputations.