U.K. government lends support to smaller organizations to tackle cyber attacks

The United Kingdom government is offering small businesses both advice and incentives in a bid to help them better protect themselves from data breaches, which climbed more than 10% in the last year.

Findings in the 2013 Information Security Breaches Survey – funded by U.K.’s Department for Business, Innovation & Skills (BIS) and carried out by PwC in conjunction with Infosecurity Europe – shows record levels of small businesses are facing the threat of losing confidential information through cyber attacks, notes a statement released earlier this week by BIS.

Overall, the survey of 1,402 respondents found the median number of breaches for large organizations (more than 250 employees) was 113, up from 71 a year ago, and 17 for small businesses (one to 50 employees), up from 11 a year ago.

The survey indicates 87% of small businesses across all sectors experienced a breach in the last year – up more than 10% and costing those organizations as much as 6% of their turnover, the BIS statement notes.

The average cost of the worst security breach for small organizations was £35,000 to £65,000; for large organizations, it was £450,000 to £850,000. At print time, one British pound was equal to $1.58. 

One of the case studies offered by BIS involves a small insurer that did not focus enough on security at their service provider. This resulted in a substantial data security breach – information believed to be accessible only internally, such as announcements and business development reports – was being indexed by web crawlers and made available in search rankings. It took almost a month to detect the problem, and required taking the system offline for a time.

“Keeping electronic information safe and secure is vital to a business’s bottom line. Companies are more at risk than ever of having their cyber security compromised, in particular small businesses, and no sector is immune from attack,” says David Willetts, the U.K.’s minister for universities and science.

The survey findings come as the Technology Strategy Board extends its innovation vouchers scheme to allow small and medium enterprises to bid for as much as £5,000 from a £500,000 pot to be used to bring in outside expertise to improve cyber security.

BIS is also publishing guidance to help small businesses make cyber security part of their normal business risk management procedures, which seeks to protect valuable assets like financial information, websites, equipment, software and intellectual property. For example, Small businesses: What you need to know about cyber security, notes that managing the risks involves planning, implementing and reviewing. Some examples of these steps are as follows:

• Planning: Consider whether or not the business could be a target (this will indicate the level of risk to which the business is exposed). Assess the level of password protection required to access equipment and/or online services by staff, third parties and customers, and whether or not it is enough to protect them. Consider who you could turn to for support if the business is attacked, or if online services are disrupted.
• Implementing: increase protection of networks, including wireless networks, against external attacks through the use of firewalls, proxies, access lists and other measures; restrict staff and third-party access to IT equipment, systems and information to the minimum required; and restrict use of removable media such as USB drives, CDs, DVDs and secure digital cards, and protect any data stored on such media; and
• Reviewing: test, monitor and improve security controls on a regular basis to manage any change in the level of risk to IT equipment, services and information; remove any software or equipment that is no longer needed, ensuring that no sensitive information is stored on it when it is disposed of; and if the business is disrupted or attacked, ensure the response includes removing any ongoing threat such as malware, and, if appropriate, addressing any gaps in security that have been identified.

“Cyber security is an increasing risk for small and micro businesses and more and more, a barrier to growth,” comments Mike Cherry, national policy chairman for the Federation of Small Businesses. “Information security should be part and parcel of good business practice. We need to cut through the jargon to give straightforward and practical advice, to help businesses put in place protections in their business,” Cherry adds.

Other survey findings include the following:

• 93% of large organizations surveyed reported breaches in the past year;
• several individual breaches cost more than £1 million;
• 84% of large businesses and 57% of small businesses report staff-related cyber breaches;
• 81% of respondents reported their senior management place a high or very high priority on security, but many businesses leaders have not been able to translate expenditure in to effective security defences;
• 12% of the worst security breaches were partly caused by senior management giving insufficient priority to security; and
• 78% of large organizations and 63% of small businesses were attacked by an unauthorized outsider (up from 73% and 41%, respectively).

“U.K. businesses face more advanced threats than ever before from unauthorized outsiders. The business world has changed and companies of all sizes, in all countries and across industries, are now routinely sharing information across business borders, whether it’s with business partners or employees’ personal devices,” Andrew Miller, PwC’s  information security director, says in the BIS statement. “Cyber security is critical. It is no longer only an IT challenge.”

And that means businesses must ensure the way in which they spend money to control cyber threats is effective.

The 8% to 10% increase in spending on cyber control as a percentage of an organization’s IT budget is accompanied by a rise in both the number of breaches and their impact. “So it is clear that there is work to be done in measuring the effectiveness of the security spend,” Miller says.

Overall, the survey found that 23% of respondents have not carried out any form of security risk assessment and 31% do not evaluate the effectiveness of their security expenditure. The following findings are also related to security:

• 10% of the IT budget is spent on average on security (up from 8% a year ago);
• 16% of IT budget is spent on average on security, where security is a very high priority (up from 11% a year ago); and
• 92% of respondents expect to spend at least the same on security next year (47% expect to spend more).