- Just under three-quarters of businesses agree that being perceived as ‘cyber-complacent’ would be damaging to their business
- More than two-thirds of businesses are concerned they will lose customers following a breach
- Over half of UK organisations surveyed do not have a cybersecurity policy in place
A recent study by anti-virus and cybersecurity expert, Kaspersky, has confirmed that nearly two-thirds (65%) of IT security decision-makers agree that their organisation is complacent about the protection of its customers’ data.
TechRound spoke with David Emm, Principal Security Researcher at Kaspersky, who explained “it’s clear that personal data is very valuable to criminals.
“We seem to hear about a data breach every day and any successful breach has debilitating effects on an organisation including damage to reputation, loss of customers and huge financial implications.”
In fact, the average breach is estimated to cost around £3 million per incident.
The study showed that 47% of companies in the UK had received at least one cyber breach in the last two years – but many do not carry out risk assessment more than once per year.
We spoke to David Emm to find out a little more.
If companies are not carrying out risk assessments, should there be more regulation for firms?
“The risk with adding more regulation is that it could become a box-ticking exercise and give a false sense of security, when actually every company is different and there is no one size that fits all in cybersecurity.
“There does not necessarily need to be more regulation, but attention to creating guidelines and frameworks can be very useful.
“The Government’s‘Cyber Essentials’ Scheme has been very positive because it offers a good framework that says you should use anti-virus, install backups and updates, etc.
“Similarly, with GDPR, it has forced companies to think about the data they hold, the way that they collect it and the need to secure it.
“When you have new partners in your business, you also need to ask, ‘well are you taking security seriously?’
“So, it’s about education.
“There are already guidelines for developers and some new proposals have been made to legislate about security of smart devices too.”
Why is risk assessment being overlooked?
“Ideally you want to give staff training on data and cybersecurity – but the challenge is that executives have busy schedules and strict budgets and they find it much easier to buy a solution from Kaspersky or other vendors than invest in years of training. Products are tangible and that resonates well with large organisations who feel impelled to act.
“But there is definitely a case for having staff on board who understand the risks; and whether it is sophisticated crime or opportunistic crime, the message needs to be reinforced about things like the danger of clicking on links and also what happens when you take your phone and laptop away with you and the potential risks that can manifest. Today, its wider than just the desktop on your desk.”
Stats from the Study Showed:
Despite the inherent risks of being complacent, many IT security decision-makers are failing to implement effective measures to protect customer data from cyberattacks. For instance, more than half (57%) say they do not currently have a cybersecurity policy in place – rising to more than two-thirds (71%) of medium-sized businesses (250 to 549 employees). Just four-in-ten (41%) businesses surveyed believe their organisation is protected with robust endpoint security.
Alongside security, consumer confidence is vital to the growth and maintenance of increasingly interconnected businesses. The majority of IT security decision makers (69%) are concerned they would lose customers following a data breach, while 74% of survey respondents believe that being perceived as cyber-complacent would be damaging to business.
There were once talks of cybersecurity insurance becoming compulsory – do you think this will happen?
“It’s a difficult area because right now it’s hard to know the scale of it. With car insurance or home insurance, the underwriters can base premiums on similar incidents according to your demographic or geography. But with cybersecurity there is less historical data to go on, so it’s harder to underwrite it. Companies considering cyber-security insurance should check the terms of the policy carefully, to ensure that it covers what they think it does.”
With 61% of IT security decision-makers thinking it is likely that their organisation will face one or more cyberattacks over the next two years, Kaspersky recommends the following advice to help protect organisations:
- Conduct regular cybersecurity assessments to review policies and services – ideally every six months
- Invest in and regularly update robust endpoint security solutions that offer effective protection against the latest cyberthreats
- Organise frequent cybersecurity training for IT staff, so they are aware of the organisation’s policy and solutions.
More information can be found by visiting the Kaspersky website