In 2018, the British NHS fell victim to a financially crippling cyber attack. The WannaCry ransomware incident cost an excruciating 92 million Sterling; certainly a high price to pay for an event that was entirely preventable. A Members of Parliament report that was produced after the attack occurred noted that all 200 of the NHS hospital and other health services investigated failed cyber security checks.
But it is not only large public institutions that are at risk. Enterprise businesses and smaller businesses alike are equally targeted by threat actors. In regards to the former, cyber attack costs ran at £34 billion according to a report by the Centre for Economics and Business Research (CEBR). The costs calculated included revenue and intellectual property loss and the increased cyber security spend.
Less easy to quantify are the reputational losses companies pay and the subsequent and ongoing loss of clientele. According to a Forrester study of both UK and US companies, 38 per cent indicated they had lost business because of security issues while 44 per cent of UK consumers state that they would not return to a business after a breach.
On top of these costs, there is also the matter of regulatory fines. Failing to adhere to cyber security mandates is an expensive and foolhardy mistake, as British Airways found out first hand when the national carrier ran foul of GDPR regulations.
Business owners reading this who assume their small company will fly under the radar may need to think again. As reported in Forbes, small businesses represent “prime targets,” precisely because would-be attackers assume poor cyber defences. Unfortunately, they are often correct. One report from security provider Carbon Black showed that 88 per cent of UK companies suffered a data breach in the past year, proving that cyber attacks aren’t so much a question of if, but rather when.
Perhaps the worst thing about a small to medium sized business being hit by an attack is that many companies never financially recover and are forced to shut down.
Given the high costs involved when a cyber attack hits its target, there is a very sound argument for a greater investment in cyber security measures from the get go. The initial financial outlay of a solid security strategy is more than worth it, particularly considering both the ever-increasing threat level and dynamic nature of modern cyber attacks.
With that in mind, below are some actionable ways for UK companies to mitigate the risk and bolster their digital defences.
Employee Education & Ongoing Training
Threat actors frequently rely upon human foibles to land their attacks. Common methods, such as phishing, utilise employees to infiltrate a company’s systems. While most staff will be aware of the risk of opening a link in an odd-looking email, they may not be as cautious as needed.
Well-executed social engineering attacks are cleverly put together. Forget about emails from the twice-removed cousin of the Prince of Nigeria, today’s threats are far more sophisticated. To mitigate the risk of phishing, among other attack vectors, businesses should run regular cyber security workshops for all employees, not just those involved in IT. If the company’s systems or procedures change, more training is necessary.
In addition, a general culture of cyber security should be in place. Make sure each staff member knows that day-to-day security is their job as much as it is the IT department’s prerogative.
Testing & Checks
It’s not enough to assume that cyber security measures are working well, instead, companies should hire security experts to carry out penetration testing and check for vulnerabilities in the company’s network and systems.
This is of even greater importance if the business engages in any form of e-commerce as plug-ins and payment portals are frequently targeted. Likewise, companies that handle a large amount of client data are attractive targets as personal information is easily sold for profit on criminal forums.
Invest in Security Solutions
Companies should have the following tools in place as standard:
- Enterprise-level firewall
- DNS protection
- Email scanner
- VPN encryption
With regards to the VPN, another option is to secure the company’s whole wifi network, and any connected devices, with a VPN router. Then, any device connected to the network is protected. For individual staff members working at home thanks to the COVID crisis, a VPN to protect your devices is one of the best ways to ensure your data transmissions to company systems are encrypted.
The cost of cyber crime is high. To mitigate the risks, and the accompanying financial burden, companies should take cyber security very seriously indeed. The steps above in conjunction with good digital hygiene practice can make all the difference.