lolloj - Fotolia
Cyber attacks cost UK business more than £34bn a year, study shows
Nearly half of UK firms lack advanced cyber defences, despite the high level of concern about cyber attacks and associated costs
Cyber security incidents cost UK firms £34.1bn in the past year, but under half have enhanced defences, a survey has revealed.
Managing malware alone cost £7.5bn, while data theft incidents cost £6.2bn, compared with the estimated financial impact of burglary over the same period of £5.8bn, according to the study commissioned by business internet service provider (ISP) Beaming.
The study polled more than 500 UK business leaders about crimes that have affected their organisations in the year to 31 March 2016, as well as their current security concerns and approaches to maintaining resilience.
Figures showing the overall impact of security breaches were obtained by considering Beaming’s findings alongside business population estimates from the Department for Business, Innovation and Skills.
The study revealed that UK bosses rank computer viruses and data theft as the biggest security threats to their businesses.
More than a fifth of respondents said they are “highly concerned” about the threat of computer viruses, and 22% said they discuss cyber security regularly at board level.
The fear of hackers is greatest among large companies, of which a third expressed a high level of concern.
Nearly half of respondents said they have enhanced the cyber security defences that protect their technology and communications networks. Some 18% said they have extensive measures to combat hackers, and almost three-quarters said they have insurance to cover losses caused by malware.
However, the survey also revealed that 44% of firms have only basic levels of protection in place for the risk.
One in eight admitted that their IT infrastructure had been damaged by malware in the past 12 months, costing an average of £10,516 in time and money spent managing each incident.
Employees were found to be responsible for infecting computing systems in more than a third of cases.
Read more about incident response
- Professional incident response providers can quickly bring the additional resources and the expertise that companies often need to handle a rapidly unfolding threat.
- Planning and foresight are essential to any cyber security incident response plan. Follow these steps to make sure you are ready for a data breach.
- Organisations hit by cyber attacks often lack an effective incident response plan. Why are so many unprepared?
The study revealed that large and medium businesses are almost twice as likely to be hit by malware as smaller companies, with 21% of firms with more than 250 employees and 19% of 100 to 249 employees hit with malware, compared with just 11% of businesses with fewer than 100 employees.
The study showed that 7% of organisations polled were hit by hackers in the past year, with the average cost of each attack estimated to be £16,264.
The risk of data theft also increases with business size, with 16% of large companies suffering successful attacks in the past year, compared with 12% of medium-sized firms and 4% of small businesses.
Sonia Blizzard, managing director of Beaming, said data and intellectual property are valuable assets, but like any asset they are vulnerable to damage, loss or theft.
“We are seeing an arms race between businesses that rely on the internet and those who use it for malicious purposes,” she said.
“Leaders recognise that cyber attacks present a critical risk to their businesses, and that they must be more resilient to meet an increasingly sophisticated enemy. Enhanced encryption, network level monitoring and secure connectivity are must-haves for businesses today.”
Businesses need to be proactive with security
According to Rob Norris, director of enterprise and cyber security in Europe at Fujitsu, the findings of the study are unsurprising.
“You just need to look at the number of companies being hit by attacks to see the growth of malicious intent. Criminals seek data and intellectual property to sell, and companies have it. It is as simple as that,” he said.
Norris said, for this reason, it is vital for organisations take a proactive approach when it comes to security.
“Organisations need to focus on the integration of threat intelligence and other information sources to provide the context necessary to deal with today’s advanced cyber criminals. There must also be a clear and well-rehearsed crisis management plan for a breach, addressing internal and external communication,” he said.
“As the sophistication and regularity of security attacks continue to increase, it has never been more important for organisations to put security at the very top of the boardroom agenda,” Norris said.
Board lacks security insight and urgency
Stephen Love, European security practice lead at IT services firm Insight, said even more worrying than the cost of cyber attacks is the fact that 44% said they had inadequate means of protection to minimise risks.
“With damning reports about cyber security hitting media headlines almost daily, its baffling to think so many organisations are still putting security at the bottom of their agendas – considering it as a ‘nice to have’ rather than a necessity,” he said.
As digital transformation continues to revolutionise the world, Love said no matter the industry, every organisation is at risk of a cyber attack or a human error data breach.
“This is why it is crucial that all steps possible are taken to protect a business, not only to reduce the fallout of an incident, but to stop it from happening in the first place,” he said.
The core issue, said Love, appears to be a lack of understanding and urgency to implement security technologies, such as data loss prevention software, multi-layered security and biometric log-in systems.
“This presents a call-to-action for technology companies in the security space to ensure the message is getting across, that it is clear and understandable, and to support businesses from beginning to end on their security journeys,” he said.