Ask the average IT manager in the UK: the anxiety over cybersecurity is almost intolerable.
Not only are they facing an unprecedented volume of attacks, but attackers are getting smarter. Their ability to respond quickly has worsened and the resources they’re allocated are insufficient to repel attackers. At the same time, IT and Cybersecurity officers are expected to take responsibility for such attacks and their consequences. This situation is unsustainable and it won’t allow companies to develop the resilience they need to weather the cybersecurity storm that’s broken over the last 18 months.
In recently published research, polling 1,000 senior IT decision-makers at businesses across the UK, 72% of respondents had suffered a successful cyberattack in the past 12 months. For many, it’s been much worse — nearly a quarter (24%) had suffered five or more successful attacks over the period, some had far more.
There are approximately 6 million privately-owned businesses in the UK, not counting government-funded organisations like schools and hospitals. Globally, this number is a staggering 400 million. Given the massive increase in endpoints as catalyzed by distributed remote work, the extrapolated figures illustrate a cybersecurity emergency. Cybercriminals have billions of devices they can target and thus, the risk profile of SMEs has reached epic, historical levels.
You might imagine, given such figures and the very real, potentially fatal, costs that accompany successful cyberattacks — ransom payments, business disruption, supply chain failures, loss of reputation, regulatory fines and more — that businesses would jump into action to shore up their cybersecurity and cyber resilience measures. Some have, but the bigger picture is very mixed.
Investment priorities this year don’t include IT
IT overall, of which cybersecurity only forms a part, is not among the top three investment priorities for the majority of companies. Product R&D, sales and marketing are each given greater attention. While cybersecurity is certainly a priority within IT budgets, it’s not enough. Half (51%) of IT decision-makers surveyed are aware of gaps in their online security that aren’t currently being addressed, yet have no plans to address them for the remainder of the year.
The necessary investment isn’t just about new security tools and services. Investment in people, both in the form of added expertise, and in training for existing personnel, each have a significant part to play in raising standards and establishing resilience.
Unfortunately, each also presents difficulties for businesses across the UK. There simply aren’t enough IT security specialists to go around: 6 out of 10 businesses are having difficulty finding appropriate staff.
At the same time, training and development for regular staff is also desperately needed to establish a level of cyber hygiene that makes attacks less likely to happen in the first place, and also less likely to land significant damage.
The training side of the equation for regular staff is even more worrying for most UK businesses. The vast majority (79%) of UK businesses agree they haven’t implemented adequate training around good cybersecurity practices such as password hygiene.
Cyberattacks should be more than one person’s responsibility
IT managers clearly have a great deal of work to do, under enormous pressure, with not enough money and other resources to do it thoroughly. For many UK companies, it seems as though cybersecurity is often viewed as the primary responsibility of IT, rather than it being a company-wide shared responsibility. Perhaps then, it comes as no surprise that IT decision makers want to push the priority of cybersecurity to a higher level in the business.
Three quarters believe cybersecurity should be a broad-level topic with an executive dedicated to monitoring its effectiveness and ensuring online security is given the attention and sufficient resources it needs. When prioritised, understanding the requirements for cyber protection and recovery might lead to resourcing that’s attuned to the task at hand.
In fact, IT decision-makers want to raise the issue to the national agenda. Most (87%) think that nationwide regulation, scrutinising all businesses, would help both their role and help business communities thrive. Cyberattacks affect so much more than just the business that’s been targeted. The entire supply chain gets disrupted. And every successful attack encourages adversaries to attack again. So it’s not surprising almost all of those surveyed think basic cybersecurity protections should be a precondition for trading as a business. What’s more, they believe new employees across the UK should have to take a cybersecurity training course before they’re allowed to start.
Companies across the UK are struggling to put the right solutions in place to cope with cyberattacks and the consequences are both damaging and costly. If businesses want to bounce back fully as we continue to enjoy lockdown measures easing, they must first get their cybersecurity hygiene in order.