First the good news – according to the Department for Digital, Culture, Media & Sport, the number of cyber attacks on British businesses fell from 72% reporting a breach or attack in the first six months of 2018 to 60% for medium sized firms and 61% for larger firms in the first six months of this year.
70% of the directors of these firms told the Department that “cyber security is a high priority” and that nearly six in ten business leaders receive reports from their staff every month on cyber security issues.
But the bad news is that the number of firms in the UK offering cybersecurity training to their staff has fallen and only 23% of medium-sized firms and 40% of larger firms are making progress on the government’s “10 steps to cybersecurity” program.
In some boardrooms, there is both a real awareness of the dangers posed by cyberattacks coupled with a complacency over continual improvement over cybersecurity. Why is this? In this article, Sprout IT examines the latest statistics on how businesses are keeping critical client personal and professional data safe.
UK firms “facing paralysis as cyber criminals become more advanced”
In a survey of 2,200 non-IT decision makers across 20 countries conducted by NTT Security, progress towards corporate cyber security improvement is “failing” despite the increase in sophistication of the types of cyberattacks regularly launched against companies by criminals.
The reasons for this identified failure were given in the report as:
- lack of security budget
- skills shortages
- confusion over who is responsible for what (44% believe that cybersecurity is the responsibility of the IT department rather than that of the wider business)
- knowledge over what constitutes compliance is low
- ineffective cyber security policies and an inability to develop them internally
One third of UK respondents told NTT Security that they would rather pay a ransom to a hacker than invest more in cybersecurity because they perceived that the cost of paying the ransom would be less. Around the same number would pay a ransom rather than be subject to a fine by the ICO for non-compliance with GDPR and other regulations surrounding personal data. This is despite NTT Security’s estimate that the cost of recovery from a cyber breach is around $1.2m.
Although most companies are encouragingly still making progress, there is a self-stated worrying lack of both leadership and budget within a significant proportion of these larger firms. The longer this situation persists, the more likely it is that hacking technology and techniques will advance even further leaving these firms even more vulnerable than they are now.
In the Department for Digital, Culture, Media & Sport survey, respondents for SMEs reported that:
- 80% of those affected had been subject to a phishing attack
- 28% were subject to others impersonating an organisation in emails or online
- 27% had to manage viruses, spyware or malware, including ransomware attacks
- 32% of businesses recording breaches or attacks said that it resulted in a negative outcome including the loss of data or assets
- two thirds of business do not have a board member or trustee with specific responsibility for cyber security
- four fifths of businesses do not require their suppliers to adhere to any cyber security standards
- 84% of business do not have formal cyber security incident management processes in place
The legal sector and cybersecurity in 2019
Using various different measurements, legal firms within the UK are actually as well prepared as most other medium-sized to large companies – arguably slightly ahead, in fact. For an industry with a reputation of moving slowly to adopt new technology, solicitors and barristers have provided real leadership to the wider business community.
That said, 8% of the data breaches reported to the ICO between July and September 2018 were security incidents involving law firms (source: ICO). Only 14% of firms’ senior management teams have participated in crisis management training in the previous 12 months (source: PwC).
Achieving cybersecurity within any legal firm is not an action that leaders should take once and never follow up on again.
Cybersecurity requires ongoing vigilance and leadership from the very top of any practice or chambers – leaders and senior managers should always ensure that it is considered in everything the firm does. Cybersecurity should be a cultural norm within any organisation which handles sensitive information on its clients, whether those clients are in a personal or professional capacity.
There is a skills shortage in the UK affecting companies wanting to protect themselves against cyberattack. There have been recent warnings that this skill shortage will get worse before it gets better (source: IFSEC Global).
Companies affected by this should look to combine the best of their existing internal IT resources with the best outsourced service on offer to provide a reliable and dependable ongoing solutions as the number and sophistication of attacks looks set to increase, despite the temporary fall in number so far during 2019.
To speak with one of our team about ensuring that all your client data is safe and securely encrypted, please call Sprout IT today on 020 7036 8530 or email us