Cyber security concerns could once be dismissed as the preserve of big business. But, in today’s interconnected world, where many are still working partially remotely as a result of the pandemic, and Russia’s invasion of Ukraine is raising threats of cyber warfare, that era is long gone.
According to Santha Subramoni, Global Head of Cyber Security Business at Tata Consultancy Services: “As companies grapple with multi-dimensional threats, risk prioritization and quantification methods are exponentially important when deciding how to allocate cyber protection funds.” .
However, data from the UK Department for Digital, Culture, Media and Sport shows that companies’ approaches to cybersecurity still vary significantly, with sectors that traditionally allocated spending to the issue still leading in preparedness.
Just over half of the companies surveyed by DCMS had sought external cybersecurity information or guidance in the past year. Small businesses and charities, which may not have invested heavily in cybersecurity in the past, were the least likely to seek advice.
In the financial sector, nearly 70 percent of companies had sought outside assistance or information, suggesting an awareness of the growing risk of being targeted by state groups. In February, the UK’s Financial Conduct Authority told banks to strengthen their defenses against the threat of Russian-sponsored cyberattacks, and Lloyds Banking Group chief executive Charlie Nunn said the group had been in “high alert” for the last two months.
But even among large and midsize companies, a quarter chose not to seek outside information or guidance. That was despite the increased opportunity for bad actors created by staff working from home during the pandemic.
However, Subramoni at Tata sees some progress: “Now more organizations are looking to external guidance to improve their cyber maturity and optimize their cyber protection budgets.”
Research from cybersecurity firm SonicWall supports that more positive outlook. “From mid-2020 to 2021, the number of CEOs who said cybersecurity risks were the biggest threat to near-term growth nearly doubled,” SonicWall CEO Bill Conner said in his recent report. about cyber threats.
These risks now surface across a company’s activities, Subramoni notes, for example, in “the cloud, network, remote access, connected devices, and extended supply chain ecosystems.” That makes it especially important to implement strong cybersecurity practices, across the board.
Encouragingly, most businesses and charities surveyed by DCMS had rules in place, such as ensuring up-to-date malware protection had been installed. A particularly large number of companies had also introduced strong password policies as well as firewalls for all their networks.
Less welcome, however, is the fact that only 30 percent of businesses and less than half of charities restrict system access to company-owned devices, potentially negating some of the protections that implement.
“Although the conceptual goals of BYOD [bring your own device] are an attractive prospect for most organisations, it comes with a conflicting set of security risks and challenges,” the UK National Cyber Security Center warned last year. These challenges include the difficulty of protecting corporate data if external devices can access it, ensuring legal compliance, and having to support a broader range of device types and operating systems.
Just under two in five companies surveyed by DCMS said they had identified breaches, although the exact number may be higher: the fact that most breach identifications came from larger companies may reflect a greater likelihood that they were attacked or had detection systems. instead.
Only a quarter of charities said they had identified breaches, significantly below the level of companies overall. However, the government found that charities and companies holding personal data were more likely than average to report breaches or attacks. This may be a reflection of the fact that only half of each category said they had rules for securely storing and moving personal information.
Data from cybersecurity firm SonicWall found that while the number of malware attacks globally fell 4 percent in 2021 to 5.4 billion, new attacks, including ransomware and encrypted threats, in which users hackers hide malware using a common security protocol had increased by more than 100 percent.
But phishing attacks, which try to trick users into divulging information, remained the most common type of breach identified by businesses and charities, reported by around 80 percent of each.
Phishing attacks also vary greatly in scale. They can be as simple as an email from a scammer posing as a member of a customer support team, or a concerted attempt to get users across an organization to click on infected websites and install malware.
At their core, though, they share a similarity, according to Dimitrie Dorgan, senior fraud risk manager at online identification company Onfido. “In social engineering, the weakest link is the human using it,” he told the FT last year. Among the trends he flagged were unexpected newsletters or emails sent to users who hadn’t signed up for them.