Middle market businesses leaving themselves open to cyber-attacks, says RSM UK

26 April 2022

Research published today by RSM UK highlights that, despite a significant increase in cyber-attacks, the number of businesses that think they are likely to fall victim has fallen. 

According to RSM UK’s ‘The Real Economy’ report, over a quarter (27%) of middle market businesses* have experienced a cyber-attack in the past year, up from one in five (20%) last year. Yet despite the increased risk, the research found the number of businesses that felt they are ‘very likely’ to fall victim to a ransomware attack has actually fallen significantly, from 34% in 2021 to just 24% this year.

Ransomware attacks, where hackers either steal or encrypt data, rendering it inaccessible, then hold a business to ransom for it, have escalated 100% since the pandemic, according to the Information Commissioner’s Office (ICO). They are expected to rise further in future, partly due to changing external events such as increases in inflation, volatile financial markets and the current Russia-Ukraine situation.

Leading researchers for the cyber economy, Cybersecurity Ventures predict that by 2031 ransomware will cost victims $265bn a year, with an attack expected to take place every 2 seconds, up from every 11 seconds in 2021. 

There is also evidence that criminals like to return to the scene of the crime, re-visiting easy targets where they have carried out a successful attack, knowing defences are weak. The Real Economy research found 17% of businesses have been targeted with ransomware more than once, compared to only 11% last year. The figures may suggest a level of complacency has set in among middle market businesses, leaving them vulnerable to future attacks. 

Alternatively, those who have invested in cyber security tools, specialist resources and cyber insurance may wrongly think they no longer need to consider the ongoing cyber threats and are now adequately protected from all types of attacks. 

In recent weeks, data extortion group LAPSUS$ has shown how teenaged cyber criminals with little financial resources can extort data from large companies including Microsoft, NVIDIA and Samsung. With such sophisticated and high-profile technology companies who invest significantly in cyber security still coming under threat, middle market businesses must remain vigilant to the threat of cyber-attacks. 

Sheila Pancholi, Technology Risk Assurance partner at RSM UK said: ‘The rapid shift to home working brought about by Covid meant businesses were initially more aware of the need for tighter cyber security measures as people logged on to work from home, often utilising their own unsecured devices. Now, as many middle market companies have already made an initial investment in protecting their business, there is a risk they mistakenly believe they have done enough, and have now developed a false sense of security. In reality, cyber security is an ongoing process, as criminals are constantly evolving, developing new attack techniques and seeking out new vulnerabilities. To keep one step ahead of the cyber criminals, businesses need to ensure IT systems remain secure, and continually review cyber security measures to ensure they are as robust as they possibly can be.’

Cyber-crime is now so prevalent that Ransomware is even available to buy as a service, more commonly known as RaaS (ransomware as a service). Criminal syndicates offer ransomware to would-be attackers, meaning quite often these criminals require no or very little technical knowledge to carry out an attack. This has increased the number of attacks that are possible exponentially. The current Russia-Ukraine situation means the threat of an attack, particularly on financial organisations or national infrastructure, is increased, as state sponsored groups carry out APTs (advanced persistent threats). 

Sheila Pancholi concludes: ‘With cyber criminals now operating on an industrial scale, it is sadly no longer possible to completely eliminate the possibility of an attack, but by remaining aware of the fast evolving cyber threat landscape and vigilant to potential threats, businesses can reduce the risk considerably.’

Tips to prevent a cyber-attack:

  • Educate the senior executives in the business so they have a clear understanding of cyber risks
  • Keep all operating systems and software up to date to ensure the latest security patches are installed
  • Ensure systems are set up to automatically apply security updates 
  • Back up all data, and ensure the backups are routinely tested for recoverability
  • Encrypt any data deemed as confidential, personal or commercially sensitive
  • Educate your staff about how to spot and report any possible threats or attacks
  • Use strong, complex passwords and multi-factor authentication
  • Ensure any online customer transactions are secure
  • Risk assess the need for specialist third party support or cyber insurance
  • Drive a strong security and awareness culture.

Richard Curtis, Technology Risk Assurance director at RSM UK said: Global cybercrime costs are expected to hit £7.5 trillion annually by 2025. Thus, cybersecurity risk will be the biggest threat to an organisation’s growth through 2024 — up from 10 percent in 2021. Global statistics indicate that 39 percent of security technologies used by organisations are considered outdated. Moreover, 92% of business executives stated that cyber resilience is integrated into enterprise risk management strategies, however, only 55% of security-focused executives agree. Developing a positive cyber security culture and fostering a no blame culture is key, understanding that cyber security is not just an IT responsibility but rather the entire organisations responsibility will allow staff to focus on bringing the most benefit to the organisation.