Businesses are being urged to step up their protection after new government figures revealed nearly half of businesses were hit by a cyber security breach in the past 12 months.
Graham Wedgbury, of Lycetts, fears businesses are putting themselves at unnecessary risk, after the Cyber Security Breaches Survey 2018 revealed that less than one in ten (9%) have cyber security insurance, despite 43% suffering a breach or attack in the past year.
Breaches range from staff receiving fraudulent emails (75%), to others impersonating the organisation online (28%), and viruses and malware (24%).
Victims experienced problems such as loss of files and personal data (28%), software or systems corruption (15%), website slowed down or being taken down (10%) or money, assets or intellectual property stolen (7%).
Wedgbury, who specialises in cyber security insurance, said: “These official findings are worrying, considering the sheer number of businesses that are being targeted and the vast majority who remain vulnerable to attack.
“There are millions of businesses in the UK – 5.7million SMEs alone – which gives some perspective on the figures and demonstrates just how serious – and real – this threat is.
“Cybercrime is still in its infancy, and so, many businesses have not quite grasped the severity of its impact, making it an afterthought or low on their priority list.
“In the study, the most common reason businesses cited for not taking up cyber security insurance was that they didn’t consider there to be enough of a risk (41%) and the other main reason is lack of awareness (22%).
“Some organisations felt they already had enough funds to cover a loss due to a cyber attack, so did not see the need for insurance.
“But an attack cannot only be costly, but can negatively impact on the business’ reputation, brand, employee morale and relationships with investors – it has the potential to cause irreparable damage.
“Additionally, if a company is subject to a cyber attack and the Information Commissioner’s Office (ICO) find they haven’t taken steps to protect people’s personal information in line with the law, they could face a substantial fine. With General Data Protection Legislation (GDPR) coming into force last month, the likelihood of being fined for failings and the cost of the fine itself is a lot higher.
“Put simply, the threat of cybercrime is one businesses can ill-afford to ignore.”
Wedgbury warned that small businesses should not assume they are immune to attack, because of their size.
The survey, published by the Department for Digital, Culture, Media and Sport, revealed that 42% of micro/small businesses identified a security breach or attack in the past 12 months, at an average cost of £894.
One fifth of these businesses (17%) took a day or more to recover from their most disruptive breach.
Despite this, one in four (25%) have no cyber security risk management measures in place at all, not considering cyber security a priority (31%), or thinking their business is too small or insignificant to warrant it (24%).
Furthermore, just 26% of micro/small businesses have formal cyber security policies in place, compared to 62% of medium/large businesses.
Wedgbury said that the very fact that smaller businesses are less likely to take cybercrime seriously could be what attracts cybercriminals to target them in the first place.
He added: “It is clear that complacency when it comes to the risk of cybercrime is not an option for businesses – all organisations are vulnerable to attack, no matter how large or small, and should take steps to protect themselves.
“Businesses are continually having to contend with external threat – from hackers and fraudsters – as well as internal, such as disgruntled or corrupt employees.
“What smaller businesses need to bear in mind is that cybercriminals are not concerned by size or value. They are non-discriminatory in their approach, sending out malicious software on a random basis.
“This unpredictability and high level of risk should act as a motivator to be as prepared as possible.
“With understanding of the market, insurers can help businesses with contingency planning, helping establish an understanding the implications of cyber-crime, evaluate risk, put security measures in place and action crisis plans, should the worst happen.”