One in three businesses fear a cyber security attack – Do you have cyber protection?

In owner managed businesses specifically, research we conducted shows 1 in 3 [3]business owners surveyed believe a cyber attack or data breach is likely over the next year*. These figures are stark and may indicate a lack of cyber resilience in this sector.

Given today’s reliance on technology, most organisations have concerns about the impact of a cyber security attack and their ability to defend against, respond to and recover from such an attack. Many small to medium enterprises, particularly owner managed businesses typically lack the same level of in-house expertise and resources in cyber security as larger organisations.  That’s not a criticism, it’s a simple fact.

Smaller businesses tend to have less budget allocated to fighting cyber crime and they also tend to lean on internal IT operations teams to manage security, rather than have dedicated in-house security skills or access to external security expertise.  In this scenario where there is a lack of in-house expertise, three critical questions should be considered:

• Are we prepared for an attack?
• Can we recover from an attack?
• How quickly can we restore operations to minimise operational disruption, financial losses and brand reputation?

Our research also shows that 1 in 5 (19%)[4] of business owners surveyed share that they are entirely unprepared for a cyber attack, with a further 40%, explaining they are somewhat prepared*.

There is a perception that somehow a cyber security attack is less likely to occur in smaller organisations, and that hackers will therefore spend their time focusing their intent on big banks or high profile brands.

Cyber crimes have become more sophisticated, but also more indiscriminate. Yes, targeted attacks still persist, but now hackers can buy software and tools from the dark web at a low cost. This means they can use this software to target organisations without much effort to and increase their chances of extracting cash from multiple targets.

For context, let’s put ourselves in the shoes of a hacker. If you intend to extract monetary gain via a cyber attack, would you target the big banks who spend multi-millions of their cyber defences or would you instead attack smaller businesses, whereby defenses are perhaps weaker?

To try to quantify this, a report from Sky News [1] estimated average losses of nearly £31,000 for each day an SME is forced to close due to cyber security attacks. SMEs who have yet to experience a cyber attack underestimate the financial impact by nearly £85,000.

Even the largest organisations who allocate vast budgets to their cyber security posture are still at risk of a cyber attack. Cyber security is concerned with minimising and mitigating the risk. Businesses should focus on how to minimise the likelihood of an attack, which correlates to improving their ability to respond to and recover from an attack.

The UK National Cyber Security Centre (NCSC) guide [2] highlights some tactical measures that all organisations should implement. This is an adequate starting point for many smaller organisations and owner managed business. Beyond these immediate tactical actions, organisations can consider a program which follows these core strategic activities:

Cyber security is a board owned risk. Board members, executive leaders and business owners need to have greater visibility and understanding of the cyber threat landscape. They also should have access to cyber expertise to help understand their current risk exposure.  

Ideally, cyber security should be an agenda item at board meetings, where weaknesses are openly shared and regularly discussed. Greater board level visibility and governance around security will provide the platform for improved and informed risk based decision making.

In order to improve board awareness, organisations firstly need to understand their threats and risk exposure. To achieve this, they should understand what external threats they are exposed to and identify the associated risks. To make this exercise meaningful, it’s critical to then assess the extent to which they have protective measures in place to mitigate those risks.

Organisations typically undertake a gap assessment to highlight current strengths and identify weaknesses. Understanding the exposure to these risks is the cornerstone of good practice security. Without it, boards are unable to make informed decisions or establish the level of risk tolerance they wish to accept.

You should ensure to consider third party supplier risks where IT systems interface with external suppliers or vendors, as risks can be introduced from any connected third parties. Measuring gaps against an established and recognised security framework is highly recommended, and its wise to choose one that is either industry specific or follows international standards that provides comprehensive coverage.

Once an organisation understands their level of risk exposure and risk tolerance, the next step is to design and implement additional key controls to mitigate these risks and weaknesses.  

Understanding your risk appetite here is critical to ensure investment is proportionate with the organisations’ risk exposure and tolerance. A low risk tolerance will obviously drive the need for greater investment, whereas a higher risk tolerance may reduce the need for costly protective controls. However, a high-risk appetite usually drives the need for greater investment in the ability to respond to and recover from a cyber incident.

Having a robust set of controls in place to protect the organisation is critical. Subject to the organisation’s reliance on IT and complexity of the IT estate, one area to consider is the ability to detect malicious practice or unusual activity. Implementing a logging and monitoring solution that monitors network traffic, unauthorised attempts to access IT resources or user access behaviour can be an excellent investment but also costly.

Any investment should be guided by risk exposure and risk appetite. There are manual methods that can be employed such as regularly looking through system logs, analysing network traffic, performing security scans or setting up end user devices to provide alerts. Overall, these methods can be labour intensive and require a level of expertise to understand what logs and network traffic are showing. It is best to gain advice in this area if you are considering a significant investment.

Having the ability to detect issues can be a wise investment that allows organisations to react quickly and minimise the potential threat. It is the ability to respond that often determines whether an incident is captured and contained or goes on to cause a major incident. Developing and testing incident response plans is essential. Many organisations incur greater loss due to an ineffective response to a cyber incident, ultimately increasing costs and causing disruption to the business for a longer period of time.

Should a cyber-attack be successful and lead to significant operational disruption or loss, then the ability to recover becomes critical.  Some organisations can cope for a short period of time, reverting to manual operations, yet these measures are often overwhelmed in a matter of days.  Should all systems be compromised concurrently this can cause major disruption. 

Many organisations believe simple back-ups are sufficient in this area, but this isn’t always the case as backups are often also compromised. Hackers often target backups to cause major disruption and increase the potential for a ransom payment. Understanding the criticality of IT systems, considering implementing additional resilience and building a recovery plan will significantly improve the ability to restore operations in a timely manner.

Finally, educate your team. A large percentage of cyber incidents arise from employees clicking on links, by which they have given access to an IT system or the entire network to a hacker. This is covered within the NCSC’s guidance. 

Your people are your first line of defence and the more they understand the risks, the better.  It is wise to implement some employee awareness training and test the team with phishing attacks via email. The response to anyone failing the test should be further, not punitive action.

If you would like to find out more about how to protect your business against cyber risks, please get in touch with our experts.

* The research was conducted by Censuswide, among a sample of 500 18+ UK Business Owners (Businesses with a turnover of £5m+). The data was collected between 18.09.2024-02.10.2024. Censuswide abides by and employs members of the Market Research Society and follows the MRS code of conduct and ESOMAR principles. Censuswide is also a member of the British Polling Council.

[1] **Sky Business research: SMEs miscalculate the cost of cyber attacks on their business

[2] - Small Business Guide: Cyber Security - NCSC.GOV.UK

[3] Combines 'Very likely' and 'Somewhat likely'

[4] Combines 'Not at all prepared' and 'Not too prepared'