This month our guest blogger is Nick Sturge, SW regional chairman of the Institute of Directors and founder and director of the enterprise hub The Engine Shed, a collaboration between Bristol City Council and the University of Bristol and he is discussing Cybercrime.
The Government’s Public Accounts Committee has stated that the Government needs to ‘raise its game’ on Cybercrime – now one of the top four risks to national security in the past six years. It said that our ability to repel cyber attacks is undermined by skills shortages and ‘chaotic ‘handling of personal data breaches. Alarmingly, Britain ranks below Brazil, South Africa and China in keeping phones and laptops secure. Yes, it’s as basic as that.
Cyber attack and cyber crime is not just a national security issue. Across the UK, business large and small are not taking this issue seriously enough. Less than a third (28%) of cyber attacks are being reported to the police, according to a report the IoD carried out with Barclays last year. It revealed that companies were keeping quiet about cyber attacks, even though half (49%) resulted in interruption of business operations. It states that the scale of the threat should not be underestimated, with over seven in ten firms saying they had been sent bogus invoices via email.
The survey of nearly one thousand IoD members showed a worrying gap between awareness of the risks and business preparedness. Whilst over 90% said that cyber security was important, only around half (57%) had a formal strategy in place to protect themselves and just a fifth (20%) held insurance against an attack. Worryingly, official efforts to tackle cybercrime seem to be failing to get through to businesses. Nearly seven in ten (68%) IoD members never having heard of Action Fraud Aware, the UK’s national reporting centre for fraud and internet crime.
The growing threat of breaches will create a ‘cyber paradox’, meaning that although business will increasingly take place online, firms will no longer feel confident in the encryption protecting sensitive information when it is transferred. This could lead to companies going back in time, and resorting to old-fashioned methods for sending important data.
Business needs to get real about the significant financial and reputational damage cybercrime can inflict. Increasingly we read of data breaches at our banks, service providers, such as telecoms, and online payment vehicles. These are the high end of the scale, affecting often hundreds of thousand of customers. But at the lower end of the scale, why are small businesses so slow in coming forward when their data is breached? As the report author Professor Richard Benham said, no shop owner would think twice about calling the police if they experienced a break-in. Yet many businesses don’t seem to think a cyber break warrants the same response.
Cyber crime is not an IT department problem. You should have a strategy in place, be it as simple as ensuring strong passwords are used and regularly changed, regularly updating software, providing staff awareness and training and making yourself familiar with many of the Government cyber guides that are available, such as Cyber Essentials.
As one of the major threats to business continuity and reputation in the 21st century, it’s now a boardroom issue.
From a director’s perspective, you shouldn’t expect to or need to be the expert on the technology relevant to preventing, or causing, cyber attacks. But it is essential that you understand the risks to the business and what you need to do to pre-empt and respond to incidents. Critical to this is understanding what skills and capability you have in your business to deal with such incidents. And if you haven’t got the capability, or capacity, then you need to buy it in. Blindly delegating responsibility without checking that your business is properly protected is not enough. Cyber crime typically uses state-of-the-art technology and so ensuring that you have the latest skills eiher in-house or to hand, is critial your responsibility as a director.
On 25th April the IoD Somerset branch is hosting and event in partnership with Somerset Chamber of Commerce and the South West Cyber Security Cluster. You can book at www.iod.com/southwest
Please be assured that all your details and any conversations will remain completely confidential at all times.