Insights/Case studies/Newsroom/CareersCareersCareersPartnersConsultantsTechnology innovationCorporateEarly careersSearch Jobs/About us/Contact us Global locations

Search paconsulting.com
  • Phone
  • Contact us
  • Locations
  • Search
  • Menu

Share

  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page
.
 
Close this video

Is your business too complacent about cyber security?

Stephen Hancock | Information Age | 8 May 2017

This article was first published in Information Age.

The results are in. Britain’s businesses need to get better at protecting themselves from cyber criminals. The UK’s Department for Culture, Media and Sport’s annual Cyber Security Breaches Survey seeks to uncover business attitudes toward cyber security and the nature and impact of breaches. So what picture emerges when we focus on medium and large businesses?

  • The results strongly support the oft-repeated message – ‘It’s when, not if, you get breached’. Nearly 70% of medium and large businesses reported breaches or attacks in the last year. Phishing was by far the most frequent attack with 72% falling foul to them.
  • Ransomware is a new category of attack this year and is already at fourth place, with 17% reporting having been hit with ransomware demands. Some businesses feel they’re at low risk because they have little ‘valuable’ data, e.g. customer credit cards and bank accounts. And while it remains true that firms holding customer data suffered more breaches, the rise of ransomware shows the data only has to be valuable to you to be of interest to criminals.
  • Despite the high level of attacks and breaches, there’s some evidence of complacency. Around 90% of medium and large firms say cyber security is a high priority for senior management – something the report cites as evidence of a strong security culture. But less than half have had staff attend training on cyber security in the last 12 months – and almost 40% don’t have a formal policy on cyber security. This is despite the prevalence of phishing.
  • 10% of medium and large companies still don’t have guidance on selecting strong passwords and lack security controls on company laptops. Food and hospitality firms show particular weaknesses even though they’re especially at risk of breaches involving loss of customer data.

What might be surprising to some is the relatively low cost associated with an attack – just under £20,000, on average, for large firms. But while the average cost of handling many low-level attacks may be relatively cheap, the cost of a single breach that leads to the loss of personal data can be very different. The 2016 IBM/Ponemon Institute Cost of Data Breach Study for the UK put the average cost of a data breach at £2.53 million and this is only likely to increase when the penalties under the European Union General Data Protection Regulation begin to bite. A major breach may also have a significant effect on reputation and customer confidence.  For example, TalkTalk’s breach cost the company an estimated £60 million and the loss of 95,000 customers, as well as a sharp drop in their share price.


Digital trust

We help protect your organisation's most important assets against cyber threats

Find out more

So what should companies do?

The best prepared organisations share some common characteristics:

  • They assess the risks to their business, using a formalised approach such as ISO27005 to include information assets, threats, vulnerabilities, impacts and likelihood
  • They seek to meet the cyber security controls set out in standards such as Cyber Essentials ISO27001 and PCI DSS
  • They seek advice on the state of their cyber security in order to obtain an independent view of their strengths and weaknesses
  • They actively test using vulnerability scans and penetration tests– simulating the sort of attacks that a hacker may use and then acting quickly to block potential vulnerabilities
  • They plan and test their responses to data breaches, using security scenariosand cyber war-games, so that if the worst happens they are well prepared and can respond quickly and minimise damage
  • Top management is committed to continuous vigilance and improving cyber security, recognising that a sound security culture – where everyone in the organisation understands the risk and knows what part they can play in keeping their organisation and stakeholders secure – is essential.

Adopting these approaches – in a proportionate and relevant way – will go a long way in helping your people and your customers from the constantly evolving cyber threat.

Stephen Hancock is a cyber security expert at PA Consulting Group


Find out more about our work in digital trust and cyber security.

Contact the digital trust and cyber security team

By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.

×