UK businesses are spending huge sums of money every year protecting their critical assets against opportunistic cyber criminals. And according to our recent research, a spate of high-profile data breaches has seen that number pass the £6.5bn mark. It’s a frightening statistic considering challenges businesses, particularly SMEs, face over the coming months, and it is at tough times like these that things like security testing often get put on the back burner, despite the obvious threats.
It’s not beyond reason that if you’ll read a story today about a business that has been on the receiving end of a security breach. We live in a digital age where the internet plays a pivotal role in the success of businesses. And the advent of the internet of things is only going to make things more complicated, with hackers presented with even more ways to gain access to a business’ data.
In the last six months alone, we have seen Marriott Hotels, British Airways, Amazon and numerous others come under attack. And probably won’t surprise you to learn that a quarter of companies we surveyed reported an increase in data breaches of between 10% and 20%, while one in 10 reported an increase of between 30% and 40%, and more than a half reported up to 10% more data breaches.
In 2018, one in three (33%) UK businesses battled a security breach that directly hit their bottom line, with a staggering 81% reporting a loss of customers. It doesn’t stop there though. Data security is a huge issue and one that customers now take extremely seriously, which is why two-thirds (67%) have suffered reputational damage. Meanwhile around half experienced a disruption to trading (58%) and 69% were fined by regulators. There are few that can afford the burden of costs or resulting impact of a cyberattack.
Despite all this negativity, Business Secretary Greg Clark recently said that he wants the UK to be a world leader in cyber security. It’s an ambitious statement, but one we should definitely be looking to achieve considering the resources the government have put into building the NCSC. However, there is a fundamental problem with us delivering on Mr Clark’s manifesto – the cost of security testing.
One thing is clear. Businesses are worried about their companies’ networks and computer systems being hacked and data being stolen. Plus, many regulatory standards now require tests to be performed on at least an annual basis. However, 77% of UK businesses think the cost of conducting the tests that help protect their assets has become too expensive.
Security testing – the vigorous investigation to identify any weaknesses – is a vital way of protecting business from hackers. Testers – sometimes referred to as ethical hackers – check computer networks, systems, or web applications to find potential vulnerabilities, attempting to exploit the weak areas. They then document how severe the issues are and recommend the steps that should be taken in order to resolve them.
It is an industry that is dominated by multinational consultancies who provide services to businesses, sometimes at twice the daily rate of an independent tester. And the growing importance of the security test means that more are being conducted than ever before. But smaller businesses simply can’t stomach the costs in this day and age, and it is those firms that are most at risk of the inflated costs. Why? Because they lack the skills to understand the risks or the plethora of threats they face, and therefore rely heavily on the external suppliers to advise them.
Just one in five (21%) UK companies believe they have adequate in-house skills to conduct security tests – the majority of which are large organisations with over 750 staff. Smaller businesses are just as much at risk, but they can’t afford to recruit internal cyber security specialists. The problem is that these firms are the lifeblood of our economy with many large companies relying on SMEs to operate. Logistic service providers are a great example of this – if they fail, the whole supply chain collapses.
The security landscape is complex, and it will only get more difficult to manage over the years to come. If the UK is to become a world-leader in cyber security then we must find ways to ensure that small and medium sized businesses have access to high quality testers.
While it is fantastic to see the government pledging investment in security hardware, it is worth noting that according to the NCSC, what makes a security test so valuable is that it deploys ‘highly skilled human minds against your defences’ meaning there is ultimately no technological substitute for an experienced tester. The problem with the current model is that you often don’t know who is testing your assets and how qualified they are to do so.
If businesses want to confirm their long-term futures and stay safe from attacks they need to ask themselves three questions: is the person carrying out my tests suitably qualified; why do I need to do it; and am I paying too much. It’s a starting point, but one that will put the UK on the path to being the safest place to do business.
Brian Harrison, CEO, AVORD Group
AVORD launched in early January promising to help shake up the security testing industry. For more information visit www.AVORD.com
