At the start of this year, we’ve posted a blog on the ICT and Cloud trends to look out for in 2020 – and top of the list was cybersecurity. Prominent incidents such as the ransomware attack on Travelex, or the increasing overtness of cyberwarfare between sovereign states are all but two prominent examples of the cybersecurity chaos businesses will face this year.
We’ll dig a little deeper and see why and how this panned out in 2019 in the UK and what this means for businesses in 2020. In July 2019, the UK Government published a detailed survey which looked in-depth into the impact cybersecurity incidents were having on businesses (and other organisations), and their struggles to keep up to date, and fend off attacks and breaches:
- 30% of all micro/small businesses (60% medium/large) identified cybersecurity breaches.
- 6-12 identified breaches per year harassed medium and large organisations.
- 30% of all micro/small businesses did nothing after their most disruptive breach or attack.
- £4,000 (£10,000/£22,500) is the average annual cost for micro/small (medium/large) businesses.
The most worrying issue, however, is that while 50% of all large businesses have minimum cybersecurity standards for their suppliers, only 1/3 of all medium businesses do. It appears none of the smaller/micro businesses has any such measures in place.
This reinforces four of our insights:
- No business is too small not to be attacked. The days are past when small businesses could fly under the radar and be ignored by hackers.
- Even if your business is not the direct target of cyberattacks, you are ever more likely to be attacked as a springboard towards the actual target. It is far easier to attack less secured targets to gain information which can be used in the final attack.
- Cybersecurity is still not properly factored into the risk register and risk management of too many businesses.
- For micro/small businesses, budget for IT and cybersecurity is often neglected or not large enough, gambling with the misconception they are too small (see above).
The costs of cybersecurity incidents – £10,000 pa on average(!) for medium businesses – only refers to the cost of rectifying the direct damage of the incident. It does not include the costs for regular maintenance of the infrastructure, staff costs, and other risk management related costs. Most importantly, it also excludes reputational damage – a cost hard to be quantified and which is always underestimated. In today’s competitive world, this can result in a break of trust which competitors all too happy to take advantage of in taking business away from companies that have experienced data breaches.
A simple and quick exercise to start to calculate the costs for the CISO and CFO of a business:
- What is your total cost of cybersecurity incidents per annum?
- What’s your cost of IT infrastructure you maintain per annum?
- What’s the cost of direct staff concerned with IT, and other costs for IT security processes and procedures required for cybersecurity management, continuity planning, and other security-related risks?
- What is the cost of contracting a managed service provider who does most of the cybersecurity lift and shift for you?
The results should be pretty clear.
To shamelessly plug Mastercard: ‘There are some things money can’t buy. For everything else, there’s Digital Craftsmen’. It’s our job to keep businesses secure in the cloud and with our ISO 27001 and Cyber Essentials Plus accreditations, we really can deliver trust with verification.
Email the team on – [email protected] or call us on +44 (0)20 3745 7706