Cyber: today's growing threat

Posted on: 06 December 2016

Download this article [PDF]

Sony, Talk Talk, Beautifulpeople.com, the list could go on. You only have to search ‘data breaches’ online to see reports of companies whose data has been compromised. From malicious or criminal attacks, human error or system glitches, to personal details being sold online, data loss has serious consequences.

Recent Government statistics show that 81% of large businesses and 60% of small businesses have suffered a cyber-security breach in the past year. Cyber-attacks are costing the British industry £34bn a year1 and if they are not resolved quickly, the cost of these attacks can escalate.

The average time to resolve an attack is 31 days but some attacks can take more than 70 days to contain2. As you might expect the resulting business disruption costs are the largest external cost associated with any type of cyber-attack. But there are many other implications, such as the cost and resource involved in resolving the attack; alerting customers of a data breach; loss of information and cost of recovery; reputational damage and the potential loss of customers.
 

Regulation

Companies need to ensure their cyber risks are managed. Not only to minimize any business interruption, but also to comply with regulation. On 25th May 2018 the General Data Protection Regulation (GDPR) will come into force. Any regulation the UK implements post Brexit will most likely be along similar lines to the GDPR if personal data is to move freely between the UK and the EU. We can also expect fines on a comparable scale, which is €20 million, or 4% of a company’s annual turnover (whichever is higher).

Cyber risk has clearly been pushed up the agenda. The Government’s 10 Cyber Security Steps, which details how organisations can protect themselves in cyberspace was updated last year. In addition, the recently published ‘Common cyber-attacks – Reducing the impact’, sets out what to look for in a cyber-attack and how to protect your business.

Reducing the risk

There are a number of measures that can be taken to reduce the risk of cyber-attacks, which include:

  • Training – educating staff in how to securely use the company’s systems and recognise potential breaches.
  • Keep systems up-to-date – securing ‘patch’ software to automatically update programs to fix security vulnerabilities and carry out regular scans.
  • Monitor removable media – limit access to removable media , such as memory sticks, and scan them before uploading data to company software.
  • Manage and monitor IT systems and networks – control the access of staff, limit the number of privileged users, monitor activity and log and analyse unusual activity.
  • Create a disaster recovery plan – produce and test plans to ensure the business is prepared in the event of an incident.
  • Establish anti-malware protection – scan for malware across the business.
  • Protect networks – implement network security controls to protect networks from internal and external attacks.

In addition, there are a number of schemes and services available to help with cyber-security. Cyber Essentials is a government-backed initiative which aims to help companies protect themselves against common cyber-attacks. UK businesses can apply for certification under this scheme and thereby prove they comply with standards of cyber security that businesses should be adopting.

This is now a mandatory requirement for certain central government contracts. It is frequently being requested as a minimum requirement in commercial tenders.