More than half of all businesses spent more on cyber security in 2017 compared to previous years, revealing how they are gearing up to face emerging cyber threats and also preparing for the upcoming data protection law.
Large businesses in the UK spent a staggering £387,000 on cyber security on average in 2017, but small and medium businesses continue to find it hard to invest in expensive cyber security programmes and services.
A survey of a large number of business executives from the UK by Turner Little has revealed how businesses are gearing up to face emerging cyber threats and also preparing for the upcoming data protection law. Among others, a significant finding of the survey is that businesses, large or small, are now spending more on cyber security than ever before.
Even though businesses are aware of the fact that no business can completely protect itself from cyber-attacks all the time, there is an urgent need to make cyber security a number one priority. A majority of businesses are therefore investing more in protecting essential data like customer personal and identifiable information, customer passwords, company financial information, strategic plans and patented intellectual property.
The survey revealed that while 65% businesses are conferring the highest priority to customer data, 36% are investing on securing passwords from malicious actors, almost one in five are engaged in security financial information and a similar number consider the security of corporate strategic plans as the highest priority.
'Cyber security is something every business must be investing in. In this day and age, with the increases in technology and software, businesses are constantly under attack from hackers – both big and small. It is vital companies assess their cyber security plans continuously to ensure all data is secure,' says James Turner, Managing Director of Turner Little.
According to Turner Little, aside from pouring extra money on cyber security programmes and initiatives, businesses have also begun imparting additional cyber security training to their employees. However, the firm also noted that a majority of those who receive such training are either IT staff, directors or senior management staff, or staff members whose job role includes information security or governance. Only 29% of those who receive cyber security training come from other departments.
While cyber security training will go a long way in protecting enterprise and customer data from insider threats, data leaks, and breaches owing to poor cyber hygiene among employees, it will make a lot of sense if all employees are trained equally on the importance of cyber security and the risks involved.
'Despite the cost, it is important to ensure that all employees understand how dangerous cyber breaches can be, and what their costs are – particularly in larger firms where the aftermath can be highly detrimental to the company’s reputation and client retention,' Turner adds.
The firm is now asking businesses to create CISO roles, integrate cyber security into their talent strategies, clearly define cyber security responsibilities within the organisation, stop viewing cyber security as an IT problem, put cyber security at the heart of digital innovation, develop dynamic cyber security risk management models and to strengthen resilience by having a clear crisis action and communication plan for when things do go wrong.
While large businesses with vast resources can act on all these recommendations, small and medium businesses are more at risk as cyber security programmes are quite expensive and require experienced and highly skilled staff to perfect. In October, a survey conducted by Duo Security in partnership with YouGov revealed that 38% of small businesses in the UK spent nothing at all to protect themselves from cyber security threats this financial year.
At the same time, 30% of small businesses allocated less than 3% of their overall budgets on cyber security products and services. If we add the two groups, an alarming 78%, or almost 4 in every 5, of small businesses in the UK either spend nothing or a very small portion of their budgets to tackle cyber threats.
Recognising the fact, the ICO has launched a new helpline to help small and medium businesses adapt to the requirements of the upcoming data protection law. It has also published a Guide to the GDPR which has expanded 'the content of the current overview to make it a comprehensive guide along the same lines as the current Guide to Data Protection'.
'Small organisations want to be ready when the new law comes into force in May 2018, but they often struggle to know where to start. They may have less time and money to invest in getting it right and are less likely to have compliance teams, data protection officers or legal experts to advise them what to do.
'Our new phone service and all the other resources already on our website plus even more advice and guidance yet to come will help steer small businesses through the new law,' said Elizabeth Denham, the Information Commissioner.