I read recently we create 2.5 quintillion bytes of data every day, and the more data we generate, the greater the risk to our digital security. Coupled with this, the threat of cybercrime to every organisation is constantly growing—attacks are becoming not only more frequent but in some instances more damaging. It’s well understood that the face of organised crime is changing as it moves away from traditional crime and into cybercrime.
In fact, people are now more likely to be affected by online crime than any other kind— the latest crime survey from the Office of National Statistics found that 1.83% of adults have experienced a computer misuse crime, compared to 1.75% who’d been a victim of violence, theft (0.8%) or robbery (0.3%). In addition, the National Cyber Security Centre recently warned that it’s only a matter of time before the UK faces a “Category 1” cyber emergency, i.e. a cyber-attack that causes “sustained disruption of UK essential services.”
A Category 1 attack would cause severe economic and social damage and even loss of life. Things have definitely moved on from the odd virus 25 years ago.
A country unprepared?
But while new research suggests that 53% of UK businesses have increased their cyber security spending in the past three years, the country’s outlay pales in comparison to that of other countries.
A report comparing businesses of varying sizes across seven countries found that British firms had the lowest cyber security budgets. Companies in the UK spent on average less than £690,000 on digital security; a far cry from the £1.12m cross-country average.
The good news is that Government and organisations in the United Kingdom are starting to take note of the growing threat and are increasingly investing to protect themselves.
Following the impact of the 2017 WannaCry virus, the NHS has pledged £150m in additional cyber security spending over the next three years. Plans to tighten security include ensuring all health and care trusts can access Windows 10 software, rolling out a £21m upgrade to firewalls and network infrastructure, and imbuing the Care Quality Commission regulator with powers to inspect cyber and data security standards. A new cyber security operations centre will also be established to help detect and address attacks and breaches quickly. This is all a really positive sign.
UK leads Europe in scaleup investment, according to Tech Nation
But taking the NHS as an example, is it enough? The age-old problem of ‘security economics’ will continue to thrive, i.e. what’s an acceptable and sensible level of investment in security protection vs risk acceptance for each and every business and public sector organisation. Security experts often criticise companies and government for determining the security budget before determining security strategy. These are First World problems that in many profit-making businesses simply have to realise and prioritise accordingly.
Increasingly sophisticated attacks
The challenge with stats and averages to track how safe you are is that cyber-crime is ruthlessly unpredictably. Protecting yourself is not a one-and-done job; it must be a constant priority to address and react to moving goalposts, evolving policies and changing budgets.
Cybercriminals are getting a lot more sophisticated. With things like advanced phishing techniques, remote access attacks targeting smart devices like thermostats, TVs, and cameras, and malware in mobile apps all becoming increasingly prevalent. Cybercriminals have evolved, and so, in turn, must businesses.
Security is not an add-on
Opening the door to digital will do wonders for a business, but not if you leave the door open behind you. Outsourcing infrastructure, changing the way data is stored and shared, and enabling greater connectivity between a plethora of devices can leave businesses exposed to new threats if they don’t take proper precautions.
The big risk in digital transformation is that the attack vector is now much larger. Data is everywhere, and it’s no longer hidden behind firewalls.
Greater access from more devices means companies need to focus slightly less on the castle walls—the data centre and its perimeter—and more on the treasure in the chest; actual business data. Thinking about access management, DLP, encryption, robust multi-factor authentication should be a priority.
The UK is more confident in security compared to EU counterparts
Too many businesses consider security as the last stage of transformation. They build the castle and then add the moat. But security is not a distinct layer that can be dropped on top of existing operations. It is not a switch to flip. It needs to be woven into culture and processes as early as possible.
It’s clear that UK businesses have to start tackling risks to cyber security with more conviction—and that means more than simply shelling out for the latest security software. Investing resource in security is about planning and people as much as platforms.
The underfunded weapon in the war against cybercrime: people
One of the most crucial elements of a cyber security investment plan is internal training.
Users are the biggest threat to any organisation’s security; it’s thought that more than 95% of security incidents are caused by human error.
Many users within a business still believe that guarding against cyber threats is the IT department’s responsibility. The reality is that security systems can only do so much when end users have not been adequately educated about everyday risks, such as links in spam emails, or locking their accounts with the same password they’ve been using for a decade.
AI in cyber security: predicting and quantifying the threat
In my opinion, one of the most important things a company can do to protect itself in the face of advancing security threats is to initiate a sea change in their workplace. Businesses need to invest in training, internal messaging, and process changes that position cyber security as an “us” issue, rather than a “them” issue. Employees need to understand that cyber threats don’t come through a single, mythical pipeline behind their firewalls, but attack from all angles, on all fronts.
With cyber threats constantly evolving, businesses need to be more reactive in the way they educate their employees. Having staff read and sign a list of rules once a year isn’t enough; it’s just as important to “patch” people as it is software. Businesses should regularly circulate concise and informative updates, ensuring all staff are aware of any new trends or known threats to look out for.
The battle against cyber threats will not let up. It’s time for businesses to invest wisely in their defences, or potentially face paying with more than just their money.
Written by Mark Hill, CIO at niche IT staffing firm Mason Frank