The most recent survey from insurer Hiscox – the Cyber Readiness Report 2019 – showed that 61 per cent of companies have faced at least one cyber attack in the past 12 months, up from 45 per cent in 2018.
The average cost of each cyber incident to UK businesses was a massive $243,000 (£195,000), according to Hiscox.
Yet despite this, British companies had some of the lowest security budgets at $900,000, compared to an average of $1.46m across the 5,400 businesses surveyed worldwide.
Data revealed by a freedom of information request by accountant RSM showed the Financial Conduct Authority received information about 819 cyber breaches in 2018, a significant rise on the 69 reported in 2017.
The majority of these, perhaps unsurprisingly, came from the retail banking sector.
Wholesale financial markets were the next most targeted, with retail investment companies making up this unhappy podium.
You may think your business is too small or insignificant for a cyber attack to be warranted, but think again.
For the most part, cyber criminals are not sitting at their computers working out which companies would be worth attacking – okay, when it comes to major conglomerates they might be.
But in most cases they are sending out bots infected with malware that will search hundreds of thousands of websites at once for security weaknesses. Then they will exploit them.
If your company’s website is not updated with the most recent versions of your software, or worse still is using software that is no longer supported by the developer, you are asking for trouble.
For sure, it is not easy to keep everything updated.
You may not deal with your own site, you may rely on a service provider or developer to do this for you. We all know they are not always easy to deal with.
Some will go quiet on you, fail to get in touch when you ask them to, or in the worst cases, may take your payment for ongoing services that they then fail to apply.
It is sometimes only after there is a breach in your data security that you find out how inept your web company is.
For any small company that has personal data held in the back of a website, or some other software system that is accessible online – perhaps from a home office – there is the risk of a cyber attack through a weakness in the system.
Once you have had a breach, you have to act fast to sort it out, especially under the new General Data Protection Regulation regime.
However, for smaller companies it can be prohibitively expensive to get the right help to secure their site, software and systems.
Using a larger provider that deals with security on behalf of advisers using their systems can help to take away some of these stresses.
But you cannot walk away from your responsibilities entirely.
If you are lax in your approach to cyber security, then you could find yourself in hot water with both the Information Commissioner’s Office and the FCA should the worst happen.
So, there are a few things to bear in mind when it comes to cyber security:
• Make sure your staff understand the importance of password protecting their screens, and the systems you have them working on. Make changing the password a regular habit – yes, it can be hard to do that, but it is a sensible way to ensure the only people accessing your systems are the people who should be.
• If your staff work on external wifi to access your systems, then ensure they are using a secure wifi that is password protected. Using public systems on the train, in a coffee shop or in a restaurant is not a great idea. Even using a smartphone’s 4G system with password protection is better than this, so make sure your staff are well drilled in how they should and should not access your systems from outside the building.
• Keep your relevant staff updated on the latest GDPR requirements. If you have a data controller listed for your business with the ICO, they need to know what their responsibilities are under GDPR and comply with them. Anyone who controls data in your business should be GDPR aware and trained. It may not seem overly important, but it really will be if you have a breach and the ICO starts to ask questions about how it happened.
If you are unsure about whether you have a cyber security weakness, it would be worth speaking to an expert to have a thorough review undertaken to check.
Any problems highlighted should be considered carefully and addressed as soon as possible, because the damage a breach can do to your business, both financially and reputationally, is likely to be much more costly than the measures you could have taken to prevent it.
Alison Steed is a freelance journalist
