igor - Fotolia

UK businesses need to up cyber security with one in five hit by attacks

Big UK businesses are targeted by cyber attacks more heavily, but all need to improve cyber security with one in five UK firms falling victim in the past 12 months, a survey reveals

Out of the 20% of UK businesses hit by cyber attacks in the past year, 42% were companies with more than 100 staff, compared with 18% with fewer than 99 employees, according to the survey of more than 1,200 businesses by the British Chambers of Commerce (BCC).

The results indicate that 63% of businesses are reliant on IT providers to resolve issues after an attack, compared with just 12% of banks and financial institutions and 2% of police and law enforcement organisations.

The findings show that while 21% of businesses believe the threat of cyber crime is preventing their company from growing, only a quarter of businesses have cyber security accreditations in place, such as the UK government’s Cyber Essentials Scheme or ISO 27001.

Smaller businesses are far less likely to have accreditation, with 10% of sole traders and 15% of those with 1 to 4 employees having accreditations, compared with 47% of businesses with more than 100 employees.

Of the businesses that do have accreditations, nearly half believe it gives their business a competitive advantage over rival companies, and a third consider it important in creating a more secure environment when trading with other businesses.

“Firms need to be proactive about protecting themselves from cyber attacks,” said Adam Marshall, director general of the BCC.

“Accreditations can help businesses assess their own IT infrastructure, defend against cyber-security breaches and mitigate the damage caused by an attack,” he said.

Marshall said accreditations can also increase confidence among the businesses and clients that organisations engage with online.

He said businesses that use personal data should be mindful that they will have to comply with the General Data Protection Regulation (GDPR) from 25 May 2018.

Read more about GDPR

“This will increase their responsibilities and requirements to protect personal data, and firms that don’t adopt the appropriate protections leave themselves open to tough penalties,” said Marshall.

In October 2016, the Payment Card Industry Security Standards Council (PCI SSC) warned that UK businesses could face up to £122bn in penalties for data breaches under the GDPR, which will introduce fines for groups of companies of up to €20m or 4% of annual worldwide turnover, whichever is greater – far exceeding the current maximum of £500,000.

Using UK data breach statistics for 2015 and a maximum fine of 4% of global turnover, the fines paid to the European regulator could see a near 90-fold increase, from £1.4bn in 2015 to £122bn, the PCI SSC calculated.

Commenting on the reliance of most UK companies on IT support providers to resolve cyber attacks, Marshall said more guidance from government and police about where and how to report attacks would provide businesses with a clear path to follow in the event of a cyber-security breach, and increase clarity around the response options available to victims.

Read more about the NCSC

The cyber threat to UK business is significant and growing, according to a joint report by the UK National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) published in March 2017.

However, the report said UK businesses should not be defeatist. There are ways of mitigating attacks, the report said, adding that the NCSC is working with government agencies, tech companies and industry to fix some lower-level threats automatically and at scale to enable information security professionals to focus on the most damaging threats.

The report also said businesses should improve basic defences. Cyber attack is inevitable, the report said, adding that even basic cyber defences can protect against most of the attacks affecting businesses and that weak defences are likely to invite repeated attacks.

The NCSC is continually adding to the guidance on its website, with topics including Microsoft Windows 10, operational technologies, Android 7, MacOS 10.12, IoS 10, phishing and ransomware.

Businesses should handle all data assets as potential targets because there is a market value for all data that can be exploited by criminals, the report said. It also recommended promoting awareness of stronger basic “cyber hygiene” to customers and employees.

Businesses should be more open to sharing knowledge and expertise, as all businesses can benefit from doing so in a secure, confidential and timely manner through services such as the Cyber-security Information Sharing Partnership (CiSP), the report said.

Developing cyber skills and awareness was another key piece of advice. Partnership work between law enforcement and industry, the report said, has led to the improvement of cyber knowledge for the wider public and industry.

Finally, businesses should report the crime to Action Fraud. If cyber attacks are reported, the report said law enforcement agencies can investigate, arrests can be made and preventative actions can be taken.

Read more on Hackers and cybercrime prevention