The majority of businesses and charities are reliant on online services, exposing them to cyber security risks. But what are the steps needed to avoid a cyber security breach/attack?
Over 90% of virtually UK businesses and charities rely on some form of digital communications or services such as:
– Email addresses
– Websites
– Online banking
– The ability to shop online
Over four in ten businesses (43%) and two in ten charities (19%) experience a cyber security breach or attack in the last 12 months. This figure rises among large businesses (72%) and a large charities (73%) with incomes of £5 million or more.
Charities are exposed to further online risks. Around three in two enable people to donate online (31%) and just under three in ten allow beneficiaries to access their services online (27%).
Just under half (45%) of businesses and two-thirds (65%) of charities have BYOD (Bring Your Own Device). The businesses where this occurs are more likely to have had breaches or attacks (49%).
Breaches can result in:
- Lost assets
- Lost Data
- Financial Burden
- New measures against future attacks
- Extra staff time to deal with the breach
- Staff being stopped from carrying out day-to-day work
Typically, organisations incur no specific financial cost from cyber security breaches. Most breaches do not have any material outcome, it is usually in the form of losing assets/data. The average cost of breaches is £3,100 for businesses and £1,030 for charities. This is much higher for medium businesses (£16,100) and large businesses (£22,300).
The below graph represents the increased cost of lost assets for medium businesses since 2016:
Three-quarters of businesses (74%) and over half of all charities (53%) say that cyber security is a high priority for their organisation’s senior management. Yet, this is still not always matched by action or engagement from senior management teams. Just three in ten businesses (30%) and a quarter of charities (24%) have board members or trustees with responsibility for cyber security.
Despite many organisations stating the cyber security is a high priority, just three in ten businesses (30%) and a quarter of charities (24%) have board members or trustees with responsibility for cyber security. One in five businesses (20%) and two in five charities (38%) also never update their senior managers on cyber security issues.
Under three in ten businesses (27%, versus 33% in 2017) and two in ten charities (21%) have a formal cyber security policy or policies.
How to overcome the problems:
– Training/Re-training: irregular/not mandatory training may be forgotten, thus businesses need to make this a regular process and help employees understand the importance of it. Teach employees how to recognize a phising email and what to do when they receive one. (high-level executives are often a target)
– Because the cost of face-to-face training sessions may be difficult, organisations should have access to more video training sessions or webinars.
– Provide evidence! If you just state the obvious without showing data/statistics, employees are less likely to pay attention to and take action towards keeping your company’s (and their own) data safe.
Do you have a Cyber Security Management process in place?
– Applying software updates when available
– Up-to-date mailware and anti-spyware/anti virus protection
– Strong passwords (and changing them regularly)
– Firewalls with appropriate configurations
– Control and restrict access to unauthorized users
– Security controls on company-owned devices
– Seek out the latest Government information and Guidance
– Monitor for intrusion (generate an alarm/email alert based on certain types of activity)
– Back-up data to external drive/USB/cloud storage.
– Engagement of senior management on the policies
– It may sound obvious but: do not give out personal information if you are not highly certain of the website’s authenticity. For example, During 2017-2018 a lot of people were scammed from others claiming to be Airbnb hosts when in reality the listing’s pictures were fake and nothing on there was legitimate. Although, if you looked more closely, the “lock” icon (which comes up next to the URL, indicating a website is genuine) wasn’t there!
Cyber security and threats are no news to anyone and should not be. Technology and innovation may benefit both sides but companies and individuals can and should take necessary steps towards securing their data. If employees are educated enough on the reasons why cyber security is important, the possible costs involved and the ways to overcome a threat, the aforementioned numbers will be decreased next year!