7 in 10 large UK companies targeted by cyber attacks. Businesses should make cyber security a top priority

Nearly seven in ten large UK companies have reported being targeted by cyber attacks and businesses that have personal information on their clients are more likely to get attacked. And when it comes to the means of the attack, fraudulent emails, viruses and malware are the most commonly used tools to create breaches. 

A new Government survey on cyber security breaches shows the extent to which UK companies are at risk. After looking at data coming from 1,523 UK and following that up with in-depth interviews, the study concluded that over half of British businesses have been targeted by a cyber attack.

Medium and large companies are more at risk than smaller businesses and companies that hold personal data are among the preferred targets for hackers.

Companies that have websites and greater online activity have also been more attractive to hackers, and so are businesses with a strong social media presence or those that use cloud.

But companies have realized the importance of cyber security and three-quarters of the businesses interviewed have admitted that cyber security has become a “high priority” for them. Almost all big companies have reported spending additional money on cyber security and over half of businesses have enacted basic technical controls to protect themselves against hackers.

For businesses that work in domains like communications or utilities, cyber security has become more important and the costs associated with it have also increased. And since financial institutions hold important electronic personal information, for them, protection is a high priority. The cost for cyber security ranges form tens of thousands to a couple of hundred pounds.

And when asked what led companies to invest more in security, most of the businesses admitted that protecting costumer data was among their main concerns. Also, for a lot of companies, the need to protect trade secrets, intellectual property or other assets prompted the implementation of tighter security protocols.

To help with cyber security, most large companies, especially those that have high turnover, will outsource protection to specialized firms, while smaller enterprises will hire staff particularly for the purpose of cyber security.

In the last year, the average business identified 998 breaches, a figure pushed up, according to the study, by the minority of businesses that experience hundreds or thousands of attacks in this time frame. Some companies admit that they faced attacks daily while other reported being breached once a year.

What are the main tools for beaching security

The most common types of breaches are related to staff receiving fraudulent emails. The study shows that in 72% of cases where firms identified a breach or attack, this was related to suspect emails being sent to members of the staff.

And while protective measures will go a long way, the government advocates for staff education and information as their vigilance could help prevent breaches and potential attacks.

But businesses are not always keen to invest in staff training. IT workers are usually the ones that are provided cyber security training and in large companies there is also a need to train senior managers. Only about 60% of large companies have trained their senior officials while overall, 79% of all businesses have invested in educating leading managers.

Some companies cited that the courses offered were not basic enough for the general staff while other were more concerned with the IT employees being currently and routinely informed about the most recent scams.

Also, businesses have developed informal communication in making staff aware of any recently received potentially dangerous emails.

The next most common tools used by hackers are related to viruses, spyware and malware, people impersonating the organisation in emails or online and ransomware.

Education, health or social care (62%), finance or insurance (59%), and information, communications or utilities firms (47%) are more likely than average to have formal policies in place for cyber security.

Large companies are also more likely to put in place rules regarding what employees can and cannot do on work devices and also protocols in place for remote work. They are also much more likely to use data classification in order to protect sensitive information.

Companies in the finance or insurance, and education, health or social care sectors are also more likely than average to have documented their risks in internal plans, audits or risks registers.

What do companies do for protection

Updating the existing software and having up-to-date malware protection seem to be the most poplar steps taken by companies in order to protect their data form breaches. Appropriately configuring the firewalls and backing up data securely are also measures put in place by a large part of the British companies that participated at the survey.

Cyber attack after-math

Not all breaches and attacks have material outcomes that affect the business but almost half of businesses confronted with a breach last year reported that they temporarily lost files, network access or got their system corrupted due to the attack.

Also, over a half of the companies said that the breach adversely impacted their organisation, they forced to implement new protective measures or they had staff time taken up in dealing with the breach.

The cost of cyber attacks

According to the businesses that were attacked in the last 12 months, the average cost of such a breach amounts to £1,570. Large companies reported higher costs, around £19,600, while medium firms said that attacks costed them an average of £3,070.

And the direct costs of cyber attacks are just part of the problem as the breach can also lead to long term costs and funds being spent on recovery. And sometimes, the costs can difficult to asses especially as one breach can result in changing entire protocols in working with clients and ending up in frustration over the services delivered to clients.

Also, attacks that damage a reputation can have long lasting effects with noticeable impact on the companies’ bottom lines.

Sounding the alarm

The government report also highlight that while companies have taken seriously their role in protecting customer information and are making efforts to comply with the legislation put in place, there is still a lot of confusion over how to best address online threats.

Receiving conflicting information and not being well informed is particularly a problem for small enterprises and while companies are good at reacting immediately to attacks, they have a worse record of reporting that an attack occurred.

The survey underlines that beyond the police, there is little reporting of breaches to public sector agencies and much of this is caused by companies not knowing who to report to and why that would be beneficial.

Under reporting might become a problem and businesses admit that more often than not they do not consider the breach as something criminal, not even in the situation in which they lost files or information.

Businesses need to be given more guidance on where and why to report breaches.

And the Government is also working on rolling out a new General Data Protection Regulation and it just opened up a new National Cyber Security Centre, a part of GCHQ, to increase the country’s cyber resilience.

“UK businesses must treat cyber security as a top priority if they want to take advantage of the opportunities offered by the UK’s vibrant digital economy,” Ciaran Martin, CEO of the National Cyber Security Centre said in a statement, underlining that “Cyber Essentials, technical advice on CiSP and regularly updated guidance on the NCSC website offers companies, big and small, simple steps that can significantly reduce the risk of a successful attack.”