Cyber security is climbing its way up the boardroom agenda as UK firms face determined attacks from organised hackers
The UK boasts one of the world’s most dynamic technology sectors. The cluster of tech startups in central London has created so many hundreds of businesses and tens of thousands of jobs in the last five years that venture capitalists from Silicon Valley come here looking for ideas to back. What economist Doug McWilliams called the “flat white economy”, as a reference to the number of businesses which appeared have started life in the coffee shops around Old Street, has made London one of the world’s most economically successful cities.
But there is a downside. Among all the world’s developed economies, no country suffers as many cyber attacks. We are the computer crime capital of the world, from the victims’ standpoint if not from that of the perpetrators.
An attractive target
According to a survey published by Trend Micro, a software security company based in Marlow, Buckinghamshire, the estimated average number of targeted cyber attacks reported by UK organisations is almost 40 per cent higher than the European average coming in at 8.6 attacks per business against a European average of 6.2, with the last attack on average having taken place in the previous 80 days in Britain and 87 days in the rest of Europe.
And the threat is increasing. The firm’s Europe-wide research questioned 500 senior IT decision-makers from organisations with more than 2,500 employees and found two-thirds believe the attacks have increased year by year and that further increases are almost inevitable. They think the increase in the UK last year was more than 60 per cent. And a more sinister trend is that the attacks are becoming much more professional and organised. Career criminals are taking over from the amateur hacker.
The sliver of good news in this is that defences in the UK seem to be more developed than in many countries. This means not only that the attacks are proportionately less likely to succeed with less data stolen, but also the cost is lower. According to the Trend Micro survey, an attack here costs the average business £172,000 against £243,000 in the rest of Europe.
Bear in mind, however, that survey evidence is not the same as statistics and to many experts these figures seem far too low. Unfortunately, however, in contrast to the United States, there is no legal requirement to report security breaches in the UK. Consequently, it is believed many go unreported as companies do not wish to advertise their weakness and the true scale of the problem is unknown.
Risks are on the rise
Nevertheless, it is pretty big. The UK government publishes an annual Information Security Breaches Survey put together for it by consultants PwC in association with Infosecurity Europe. The 2015 version said that 90 per cent of large companies and 74 per cent of small businesses in the UK had a security breach last year. The corresponding figures for 2014 were 81 per cent and 60 per cent.
This survey also reports a sharp increase in the resultant costs. It says: “For companies employing over 500 people, the starting point for breach costs, which includes elements such as business disruption, lost sales, recovery of assets, and fines and compensation, now starts at £1.46 million as against just £600,000 the previous year.”
It could be much more with the top of the cost range for big companies reaching £3.14 million. Remember too that this is the cost of just one breach but, according to the survey, a company may experience several during the year. Indeed the median number for large organisations last year was 14 while smaller firms, where the costs range from £75,000 to £311,000, were hit on average four times.
It needs to be emphasised, however, that not all security breaches are a result of criminal activity. Perhaps as many as half are blamed by firms on human error by employees and contractors, either inadvertently or because they failed to follow established security procedures.
Understanding the damage
But crime still imposes a huge cost. The Centre for Economic and Business Research (Cebr), in its June 2015 report The Business and Economic Consequences of Inadequate Cyber Security, said cyber attacks cost UK firms £34 billion a year in revenue losses and subsequent increased IT spending. This splits between £18 billion of lost revenue and £16 billion in increased expenditure.
Again, however, these figures can be considered an under-estimate because they don’t take account of the share price decline, which can result when news of a successful attack becomes public, or the reputational damage that may last for years and is notoriously hard to quantify.
Share price damage is often repaired in a few days, but again this cannot be assumed. In a couple of the worst cases in the United States, the share price of AOL was still down by a quarter one month after it was attacked while that of Heartland Payment Systems was down by a half.
Closer to home, the shares of UK mobile and internet supplier TalkTalk were trading at 290p on October 20 just before the company announced what seemed initially to be a massive theft of customer data. They were languishing at 217p at the end of the year. In round numbers that is a loss of £750 million of market capitalisation though the company said the direct costs of the attack were likely to be between £30 million and £35 million.
Another cost, which is impossible to quantify, is the effect of cyber security on the development of the wider business. According to the Cebr report, 70 per cent of chief technology officers polled believe their current cyber security policies inhibit innovation to some extent, a finding which implies risk management policies need to be reviewed in this context.
Nor is it easy to quantify the cost of a souring of business relationships. The US arm of T-Mobile reacted very negatively when Experian announced it had been hacked and had lost personal data on potential new customers of T-Mobile, which it had put up for credit checks.
Similarly annoyed were the customers of Moonfruit. It acts as host for a lot of smaller company websites. When it was attacked just before Christmas these businesses lost their websites, albeit only briefly, in what was for them the busiest period of the year.
Some companies neglect their cyber security defences because they say they have nothing worth stealing. However, the Cebr report says that in 70 per cent of cases cyber attackers are not interested in the primary victim, but their main motive is to use the extracted information to generate the real attack.
And while the majority agree the most determined criminals will probably penetrate any system in the end, the same report says that a few simple procedures, which are in effect good housekeeping, can greatly enhance effective defence. Cebr says the top five controls that help prevent cyber breaches are web-application testing, two factor authentication, verifying the need for internet-facing devices patching or isolating web services, and logging and verifying outbound traffic.
That said, cyber security clearly needs to move up the list of boardroom priorities. In finance this has already happened with a recent banking study from the Cyber Security Forum Initiative listing it as the number-two concern. It seems only a matter of time before the commercial world comes to the same conclusion.