The latest statistics show that 55% of UK firms experienced a cyber-attack in 2019, up 15% compared to 2018, signifying a growing threat. It also seems the Government is taking action to support businesses with protecting themselves, their customers, and their suppliers, having recently launched a call for evidence as part of its review of cybersecurity incentives and regulations.
For many years, cybersecurity has been reactive in most organisation, but it seems the tide is turning. According to Softcat’s latest Business Technology Report, organisations in the UK are now prioritising investment in cybersecurity above anything else to strengthen their defences.
In fact, 83% of industries ranked cybersecurity as their biggest technology priority in 2020. Of the 18 industries included in this study, only three – Construction, Public Education and Public Healthcare – didn't rank cybersecurity as their top priority area of tech investment.
Most organisations worldwide, large and small, understand cybersecurity is now a critical part of running their business. Businesses failing to protect their data, systems, suppliers and customers risk damaging their reputation beyond repair, receiving huge fines from the ICO and suffering crippling financial losses.
Embedding a culture of cybersecurity
Given the speed at which mistakes are exploited by cybercriminals, organisations need to get their security defences right to avoid becoming a victim. And this applies to all levels, from the most junior employees to the CEO and board of directors. Employees need to be at the heart of structures and policies, with an understanding of how people work and think.
Organisations often pay external consultants to provide answers. However, while that does relieve some pressure on stretched teams, to maximize the value of the consultancy you do use, it's important to critically assess their methodologies.
Staff are often the best placed to act as an early-warning system, flagging any unusual behaviour, so it’s important you have a system in place which all employees are aware of to act quickly and block or minimize a threat.
A security handbook, supported with regular training, can make sure every employee knows how to manage their electronic equipment safely and what to do in different web-based scenarios. This knowledge should be regularly tested in a real-world context through drills.
It’s essential that, while employees understand their responsibility on a personal level, nobody seeks to assign blame in the event of a breach. Instead, a business should reconsider its collective security strategy and what can be changed to defend against any future attempts.
It’s also important that company-wide policies promote the practice of accepting software updates because they often include security patches for newly discovered vulnerabilities. Failure to patch security flaws in the Windows operating system was one of the main reasons why the Wannacry ransomware outbreak in 2017 was so successful, as it used an old and insecure protocol to spread.
Staying secure in the cloud
More and more hackers are targeting cloud providers to cause maximum damage. With many organisations transferring their operations to the cloud as part of digital transformation strategies, the exposure to attack risk can increase.
Due to the public nature of cloud providers, weaknesses can be quickly detected and exploited by cybercriminals. This places increasing pressure on already stretched IT teams. Cloud companies are aware of this growing problem and are doing their utmost to prevent such attacks. However, it can be difficult as the overall responsibility for protecting accounts is often shared between the cloud company and the client.
As a result, cloud companies expect their customers to securely configure the services they use. To encourage best practice, they provide a wide range of security tools, monitors and alerts. However, in some cases, these are part of additional paid-for modules.
It’s not uncommon for businesses to struggle with confusing pricing models when it comes to cloud packages, with many only realising after purchasing a new service that they require a more expensive tier or additional element to secure their systems effectively.
To address this, cloud companies must do more to educate their customers on best practice security configuration. Meanwhile, businesses must continue to invest in security skills training and onboard new talent to close the widening gap between their security needs and the resources they have to protect themselves.
About the Author
Adam Louca is the Chief Technologist for Security at Softcat, one of the UK’s leading business technology and service providers. The business specializes in developing, engaging and transforming the cybersecurity approach taken by its customers, which include some of the largest brands in the UK. In addition to this senior role, Adam also runs Softcat's cyber assessment services business, helping customers understand their current cybersecurity maturity and build roadmaps to improve it.