What are the chances?
Cyber security incidents appear as the headline with increasing and alarming regularity. Large organisations such as Marks & Spencer, Co-op Group and currently, Jaguar Land Rover, make headlines but significantly less reported are the much smaller business that are afflicted by the menace of cybercrime. Marks & Spencer are still recovering systems several months later and earlier today, Next released their impressive results for this year, citing some of their increase as a result of Marks & Spencer’s cyber attack. The Co-op spent over a month without key IT systems. JLR are currently three weeks into a total manufacturing shutdown.
The knock on effect at JLR is affecting suppliers with some raising the prospect of going out of business completely. Other suppliers have their employees on reduced salaries or furlough. The Telegraph claim JLR are losing £72m a day which would be currently over a billion pounds if this is accurate. M&S costs were estimated at over £100m. The Co-op had no cyber insurance cover so refused to pay the ransom which escalated the attack with 6.5 million of its members having their data stolen. Earlier this year KNP, a logistics company, was destroyed by a ransomware attack. The 158 year old company went out of business putting 700 people out of work.
The larger organisations are grabbing the headlines due to the scale of cyberattack, the number of employees involved and, of course, the amount of money paid, lost or stolen. Smaller businesses are affected on a daily basis. Last year 60% of cyberattacks were targeted at SMBs. Blacon High School was shut for over a week due to a cyberattack and there are many other local examples. Too many businesses are crossing their fingers and hoping that they are not next. Some small businesses have no budget or resource allocated to cybersecurity and don’t see it as a priority. The only sensible approach to protecting your business is with a multi-layered security approach. The traditional antivirus and router firewall are no longer enough. If this is all that stands between your business and a cyberattack, you are taking a huge gamble every day.
This is not scare mongering, with the cost to UK businesses reaching £44bn over the last five years according to Howden Insurance. The average cost of a ransomware attack on businesses is £133,000. The prevalence of cyberattacks in the UK and destruction it causes may be a symptom of a greater issue. In the UK there has been a lack of seriousness about the online threats, or at least a lack of preparation. The lack of protection, preparation and planning around cyberattacks is all too common. To understand what we mean, think about your own business; do you have an IT policy? Do you have a cybersecurity recovery plan? Do you have a disaster recovery plan? Do you comply with your cyber insurance requirements? Do you have cyber insurance? or do you even know if you have any cyber insurance?
“We’ve seen a wave of criminal cyber-attacks over the last few years,” says Richard Horne, the NCSC’s CEO. He denies the criminals are winning, but says that companies need to improve their cyber-security.
The culture in the UK, with regards to IT Security, has been to invest as little as possible. It is often seen as an expense that is begrudgingly paid. Viewed similarly to insurance policies with the emphasis on getting it for as little as possible and little attention paid to what is included until it is needed. This is where past choices can have devastating effects. Businesses using a break-fix option for their IT support and relying on a free antivirus product will pose little or no challenge to a cyberattack. Contemplate what you would do if you had a ransomware attack; how would your business cope with 24 days (the average recovery time) of not trading, of paying salaries to staff who are unable to work for 24 days, of the reputational damage, of paying ransoms, paying for recovery and paying compliance failure fines. According to Kevin Beaumont, anyone who has been involved in a ransomware attack will tell you that your business IT has a heart attack. Someone deliberately tries to tear your organisation down with a scorched earth approach. Your business is devastated, taking weeks and months to recover, if it can recover at all.
Hacking is on the rise because it’s such a lucrative crime, says Suzanne Grimmer, who heads a team at the NCA.
If your current IT provider doesn’t align your business to security standards or hasn’t even mentioned standards, you need to be talking to a different provider. Take the initiative and start building IT security into every part of your business. Don’t make IT security an afterthought or a side issue. It should be front and centre of every part of your business. Put policies in place, draft plans and test them out. More important than any of this, invest in IT security and put robust protection in place for your business. It is far better to put carefully budgeted IT Security investment in place now than throw money at an unfixable problem as it gets away from you.