The number of UK businesses that have suffered cyber attacks has doubled in the past five years, according to a new report.
Beaming’s Five Years in Cyber Security found that 1.5 million organisations fell victim to cyber crime in 2019. This equates to 25% of all UK businesses, compared to 13% in 2015.
Phishing and malware were the most common tools for cyber crime – and the larger the organisation, the more likely they were to fall victim.
Among small businesses, phishing attacks were successful 29% of the time and malware 20% of the time. However, in large businesses, those numbers jumped to 38% and 31%.
But not all attacks are a case of criminal hackers breaking into an organisation’s systems. In fact, employees have been consistently responsible for a little over a third of breaches – whether through malicious intent or neglect.
The cost of cyber crime
Beaming calculates that UK business lost almost £13 billion due to cyber crime in 2019, and when you factor in damaged assets, financial penalties and lost productivity, the total cost over the past five years is more than £87 billion.
On the plus side, the average cost of breaches has fallen from £26,000 per incident in 2015 to £6,000 in 2019 – although that’s offset by the increase in the overall number of incidents.
The report also found that, except for IoT (Internet of Things) attacks and cryptojacking, there isn’t a huge discrepancy between the cost of a breach and criminals’ attack method.
Organisations are fighting back
Although the number of cyber attacks has increased in the past five years, organisations of all sizes are doing a better job addressing the risks.
Beaming found that 20% of small businesses, 24% of medium-sized business and 36% of large businesses now discuss a range of threats at board-level, while the proportion taking additional steps to mitigate the threat has increased from 16% in 2015 to 37% in 2019.
Many of those organisations have correctly identified malware as a top priority, with 45% saying they’ve taken extra security precautions to tackle the threat, compared to 26% in 2015.
However, there is still a lot more that they could be doing. For example, the report found that:
- Only 9% of organisations have a documented cyber security policy;
- Only 10% have cyber insurance; and
- Only 10% have implemented an intrusion-detection system.
Beaming notes that organisations should be taking a strategic, holistic approach to cyber security rather than identifying specific threats and addressing them as they arise.
That’s why it recommends ISO 27001, the international standard that sets out the specification for an ISMS (information security management system).
ISO 27001’s best-practice approach helps organisations manage their information security by addressing people and processes as well as technology.
Independently accredited certification to the Standard is recognised around the world as an indication that your ISMS is aligned with information security best practice.
Our green paper Information Security and ISO 27001 – An introduction provides more information on the Standard and how it fits into your organisation.
- The areas of information security that ISO 27001 covers;
- How ISO 27001 helps you meet your legal and regulatory obligations;
- Some key points to consider as you implement your ISMS; and
- The benefits of certifying to the Standard.