In the wake of the second significant data breach suffered by Dixons/Carphone Warehouse, we continue to see increased cyber attacks and new threats to data security. Hackers are constantly finding new targets and refining the tools they use to break through cyber defences. Other companies that hold lots of sensitive information will be in their sights in 2018. Cyber threat remains one of the most significant – and growing – risks facing UK business.
The 2018 UK government survey on cyber breaches demonstrates that UK businesses are incurring considerable cost and disruption from cyber security breaches, yet there appears to be a degree of complacency when it comes to preventing and responding to cyber attacks.
The cost to business
81 per cent of large businesses and 60 per cent of small businesses suffered a cyber security breach in the last year, and the average cost of breaches to business has nearly doubled since 2016. Breaches impact on organisations in various ways. Where breaches have resulted in lost assets or data, the financial consequences have been especially significant.
Increased support from senior managers can empower those in charge of cyber security. Despite this, management boards for two in ten businesses (20 per cent) have never discussed cyber security and only a minority of organisations (30 per cent of businesses) have board members or trustees specifically overseeing cyber security.
Addressing the risks
‘The offshore world has already been hit with serious data breaches; we are all aware of the Panama and Paradise papers. With the nature of sensitive documents held by trustees, it is more important than ever that trust companies do all they can to prevent cyber breaches. This ranges from simply raising staff awareness through training, to identifying and managing cyber related risks and adopting good-practice technical controls. Cyber security must be made a Board level issue to ensure it gets the required level of focus.
‘It’s particularly interesting that the survey found that cyber breaches are more prevalent when staff are allowed to use their own personal devices for work. This is an area we have identified as an increasing risk and one that we have been warning our clients about for some time. Understanding that personal emails and home networks aren’t automatically adequately safeguarded from unauthorised intervention and cyber attacks is a key learning point.
‘Personal devices should be managed and controlled via a formal bring your own device (BYOD) policy. This ensures that controls applied to systems which are managed and owned by the organisation are also consistently applied to personal devices which staff want to use for work related purposes. This is ever more important given the General Data Protection Regulation which came into force in May this year to strengthen personal data governance.’