What can be done to reduce cyber confusion for businesses?
Close to half of UK businesses have been hit by a breach or cyber attack in the last year, with this number potentially being much higher in reality as the figure only includes firms that actually knew they were attacked.
The 2017 Cyber Security Breaches Survey conducted by the UK government revealed that 46% of businesses identified one or more breaches or attacks within the last year. Despite this percentage of known malicious incidents, only 67% of businesses said that they spend money on cyber security.
This percentage of businesses spending money on cyber security could be considered very worrying, as the growing status of cyber security, recent examples of breaches, and the impending arrival of GDPR leave little room to justify a lack of spending to tackle the issue.
There are however obvious signs of growing awareness to the problem, as 74% of UK directors were found to say that cyber security is a high priority. With this percentage outweighing that of businesses engaging in spending on cyber security, it is perhaps made clear by this incongruence that firms are confused about exactly what course of action is necessary.
Brian Lord OBE, former GCHQ Deputy Director for Intelligence and Cyber Operations, and now Managing Director for PGI Cyber said: “The threats are very different but the common denominator is one of confusion of what exactly they need to do to protect themselves and their horror at what they had been quoted elsewhere to help resolve a problem they didn’t understand.”
The cacophony of noise surrounding cyber security has been immense, as talk of adversaries outrunning the capabilities of cyber defenders, and constantly changing threats are dominant topics. In addition to this, the approach of GDPR threatens businesses with crippling punishments if defences and practices are not up to standard.
Reflecting on the results of the Government survey, Anton Grashion, managing director of security practice at Cylance said: “This is probably an underestimate if anything. Two reasons for this, firstly, this assumes they even know they have been hit, secondly people are more likely to under-report. Evidence of our testing when we run a POC with prospective customers is that we almost invariably discover active malware on their systems so it’s the unconscious acceptance of risk that plagues both large and small businesses.”
Cyber attacks on businesses in recent times have been put down to growing sophistication of methods, and insufficient awareness and development from businesses to mitigate the cyber risks. Many vendors of cyber security are also saying that the attackers are so advanced that total cyber safety cannot be guaranteed by anyone.
Although agreeing that business are not sufficiently protected, Mr Lord has placed blame upon the vendors, he said: “The reason breaches are growing is because companies aren’t protecting themselves properly, because they are being made confused by the cyber security vendors. A ‘cyber mythology’ has been created by the industry, to sell unnecessarily expensive solutions through fear. All recent high profile cyber-attack incidents could and should have been prevented with relatively low cost solutions.”
A recent and comparable opinion to the one presented by Mr Lord is that if Dr Ian Levy OBE, Technical Director for Cybersecurity and Resilience at GCHQ. Dr Levy stood against the tide of cyber fear by saying that security firms were “peddling medieval witchcraft”.
With a look to finding a solution to problem, Brian Lord said: “The unfortunately more boring but more realistic (however considerably more effective and cheaper) solutions reflect a blend of technology, human education and procedural measures. And that blend depends entirely upon the type of threat a company faces.”
The need to educate people on cyber security has been spoken about at significant length with the goal of improving personal and company security, with a focus on reducing mistakes that result in entry points being created to be exploited by hackers. Mr Lord adds to this by raising the importance of this education and awareness, placing it above expensive packages offered by security providers.
Outlining the lack of understanding from businesses on what they need to uphold cyber security, Amichai Shulman, CTO and co-founder of Imperva said: “Our experience show that 100% of businesses are under attack. With 20% of companies being breached while only 24% believe they have proper security stance we can only repeat the cliché that there are two types of business those that have been breached and those that don’t know that they have been breached yet.”
Brian Lord summarises his perspective on the results and the solution, he said: “It isn’t either expensive or complicated to understand and manage these risks. But while it is still made so – the figures in these reports will continue to grow and we will be no safer.”