Where are UK firms falling short on cybersecurity?

Businesses across Britain are still not doing the basics when it comes to defending themselves online. Here’s where they should be upping their game

By definition, the fundamentals are important in cybersecurity. After all, not only do fairly basic cyber defences make an outsized difference to an organisation’s odds of falling foul to a cyber breach – most attacks being relatively unsophisticated – but they also influence how well that organisation will be able to respond and bounce back from an incident.

However, according to data from a survey by the Department for Science, Innovation and Technology, UK businesses are still falling short when it comes to defending themselves. While most businesses have a range of defences in place, including malware protection and cloud-based back-ups, some firms are still failing to take even the most rudimentary of cybersecurity measures, such as using network firewalls or putting more rigorous password policies in place.

And what’s more, the situation actually seems to be getting worse, particularly among smaller businesses.

The problem becomes even clearer if we take a longer view of one specific aspect of basic cybersecurity: staff training.

Multiple factors are at play here. For one, the Covid-19 pandemic undoubtedly hit businesses’ ability to deliver staff training on cybersecurity, what with employees in many cases working remotely and therefore being unable to attend in-person sessions. IT teams were also stretched particularly thin during this period, as they focused on transitioning their organisation to new ways of working, while still maintaining core cybersecurity. And costs will also have factored into this, with the post-Covid economic malaise meaning that money is tight and business leaders’ spending priorities may now lie elsewhere.

However, businesses’ drifting attention to cybersecurity also means that they’re not always set up to bounce back effectively and learn from their mistakes in the event that something does go wrong. For instance, British businesses still tend to perform quite poorly when it comes to incident response.

It’s clear, then, that as well as failing to do the basics of cyber defence, British businesses are also insufficiently proactive in the wake of a cyber incident. And even when they do get proactive, they tend to fall back on technical fixes, as opposed to rooting out any underlying cultural or educational shortcomings.

And finally, the costs of these bad cybersecurity habits are plain to see, even where the impacts of an incident are non-material.

In short, then, British businesses’ cybersecurity failings may well be costing them significantly, in ways they aren’t even necessarily aware of. That’s bound to be an extra source of pain that firms could do without, especially in these difficult economic circumstances.