Why are fewer businesses taking cybersecurity seriously?
There has been a strong sense that the Covid pandemic has exacerbated the cyber risks faced by organizations. A combination of rapid digital transformation of operations and the willingness of attackers to exploit the uncertainty this creates has made for a fertile environment for cybercrime to flourish.
A recent report from the UK government’s Department for Digital, Culture, Media, and Sport highlights the scale of the problem. The paper reveals that nearly 40% of companies and over 25% of charities have suffered from some form of cyberattack in the last year. This number grows among larger organizations, with 65% of medium-sized businesses suffering an attack, 64% of large businesses, and 51% of high-income charities.
“News that two in five UK firms suffered a cyberattack in 2020 is a cruel reminder that hackers will not lay low during a crisis, says Chris Harris, Europe, the Middle East and Africa (EMEA) technical director at Thales UK. “Cybercriminals are all too aware of the vulnerabilities that exist for businesses during the pandemic, and have taken advantage of potential distractions and disruptions facing organizations.”
Stepping up to the challenge
The problem is compounded by the fact that businesses seem to be struggling to administer the kind of cybersecurity measures they need to fully address the challenge. Indeed, the report reveals that fewer businesses are using security monitoring tools than last year, with a particularly sharp drop-off in organizations using any kind of monitoring at all.
As such, it's possible that many organizations are simply less aware of the breaches they're facing and the threats to their operations.
This head in the sand approach is highly questionable, not least because over a quarter of organizations said that they were suffering from attacks on a weekly basis. By far the most common form of attack was phishing, with an incredible 83% saying that they faced this risk on a regular basis.
A sizeable impact
These attacks are also having a significant impact on organizations, with over 20% reporting that attacks resulted in a loss of either income, data, or other key assets. Even if there wasn't an explicit loss, many of those attacked had to implement operational changes to try and protect themselves from follow-on attacks, which takes resources away from operational matters.
Given these consequences, it's heartening to see that cybersecurity is a growing priority for executives.
Indeed, 77% of businesses now say that cybersecurity is a high priority. Where problems lie, however, is in converting this attention into meaningful action.
Indeed, the number of organizations that have actually implemented key cybersecurity initiatives is far lower, with a worrying 84% saying that they have made no significant changes as a result of the Covid pandemic, despite the rise in attacks.
“In order to overcome this, companies must ensure they’re approaching security in the same way a hacker would – by understanding where the sensitive data is being held, who has access to it, and what protections are already in place,” Thales’ Harris continues. “Once this has been established, security and access management controls – such as two-factor authentication, encryption, and key management – can be implemented to protect data at its core, whilst restricting access to only those who are authorized. In addition, businesses should also train employees to spot suspicious emails or potential phishing attacks and stop would-be hackers at the gate.”
Of the organizations that have been able to implement some operational changes, the use of Virtual Private Networks was by far the most common, with many organizations also turning to cloud servers to help accelerate any of the digital transformations they have undertaken.
“Whilst cloud servers and rapidly rolled out digital transformation strategies have enabled companies to operate remotely in the wake of Covid-19, cloud services may not offer the same protections that internal servers do and many businesses have been caught out," Harris suggests, however. "This failure to install appropriate cybersecurity measures can lead to serious reputational, financial and business risks for organizations."
For those who are lagging behind, the report provides a number of pointers to help, including advice on secure home working, securing any video conferencing platforms deployed, and how to securely digitize your business. The National Cyber Security Centre has also recently issued guidance to help the education industry bolster its cyber resilience. This is part of a wider £1.9 billion investment into the National Cyber Security Strategy in the UK over a five-year period, which will include support to help businesses improve their cyber resilience.
“The pandemic has taken an unavoidable toll on British businesses but we cannot let it disrupt our high cybersecurity standards,” says Digital Infrastructure Minister Matt Warman. “With more people working remotely it is vital firms have the right protections in place, and I urge all organizations to follow the National Cyber Security Centre’s expert guidance so we can build back better and drive a new era of digital growth.”