9/10 big businesses have suffered a significant cyber attack
New report from insurance giant Lloyds claims that businesses have become ‘complacent’ as attacks rise - meanwhile GDPR preparations are being ignored.
An astonishing nine out of 10 big businesses have suffered significant cyber attacks in the last year alone, according to a new report.
The report, from insurance giant Lloyds, found that in spite of the headline figure, less than half of businesses surveyed were concerned about suffering a future breach.
The research gels with research commissioned by the UK government from earlier this year, which found that 65 per cent of big businesses in the UK were hit by a cyber-attack or breach in 2015. A staggering quarter of those companies experience at least one breach per month.
The Cyber Security Breaches Survey, carried out by Ipsos Mori also found that SMBs are failing when it comes to setting cybersecurity standards for their suppliers, with only 13 per cent of all businesses doing this (that breaks down to bad news for small businesses, with 25 per cent of medium-sized firms doing so, and 34 per cent of large organisations).
A mere 22 per cent of SMBs have given employees cybersecurity training in the past year, with the figure rising to 38 per cent of medium-sized businesses and a more impressive 62 per cent of large ones. This might go some way to account for the main attack vector highlighted by the research - 68 per cent of successful attacks (ie: ones that resulted in a breach) were via virus/spyware/malware.
High-Tech Bridge’s own research has found this to be the case too, with an ongoing trend in Blind XSS attacks being used by cybercriminals to infect privileged website users (e.g. support or admins) via drive-by-download attacks. Interestingly, the Cyber Security Breaches Survey found the second most popular attack vector (at 32 per cent) was via impersonation of the organisation.
A particularly popular method of compromising corporates is via their own website applications, which being likely to be whitelisted and trusted by staff internally means very little encouragement is required to trick users into unknowingly clicking infected links. A full step-by-step article explaining the breakdown of the attacks is here.
So what can businesses do in the short term? Although basic security education of staff is essential, increasingly sophisticated social engineering attacks are surmounting this by using more trusted language and more highly trusted internal resources (for example by compromising legitimate resources such as the company site), so taking steps to prevent these traditionally low level risk compromises has to become more of a priority.
However, Lloyd’s CEO Inga Beale said that while poll findings show that European businesses are overly complacent about the risk of cyber attacks, the real upset could come from falling foul of more rigorous EU data protection laws.
“It is a reality, you will be hacked or attacked in some way,” the Telegraph quoted Beale as saying. “There’s been an element of complacency in the past, but it’s going to become more prevalent.”
Despite the General Data Protection Regulation (GDPR) coming into effect across the EU in under two years in early 2018, 57 per cent of business leaders admitted they do not fully understand the potential implications of the GDPR on their enterprise.
Those that were aware of potential implications of GDPR broke the impacts down into regulatory investigation (64 per cent), financial penalties (58 per cent), impact on share price (57 per cent) and reputation (52 per cent).
The new data regulations set maximum fines of up to €20 million, or 4 per cent of a company’s global annual turnover, if they fail to protect data properly. The maximum fine under the UK Data Protection Act is currently £500,000.
Although the GDPR may not apply to the UK directly post-Brexit, parallel regulation will probably be required in some form in order to trade with and share data with European institutions and businesses.
“Whether the UK will have to comply [with the GDPR] or not is almost irrelevant,” said Ms Beale. “We should be putting in very tight controls over this and to get it taken seriously.”