Why Are Companies and Their Directors Still Behind on Cyber Security?
At AT&A we’re repeatedly raising the subject of cyber risk and the need for better board oversight. The threats posed by cyber are so significant to companies of all sizes across all sectors that it’s essential boards pay close attention to developments and risks in the area. Despite this, all evidence points to the opposite – that company directors are not sufficiently engaged with the subject and that companies are failing to protect themselves against the risks posed.
So why might this be?
IT discomfort & common misconceptions
Technology and computing continues to change at an unprecedented pace. Consumers and businesses are creating and dealing with larger and larger amounts of data every year yet it’s clear that there is a significant sense of discomfort with discussion around the IT aspects of cyber security.
This discomfort often leads to a collection of excuses for failing to tackle essential cyber security issues. The two most common that we hear are:
- Excuse: “[Person X] is responsible for risk so they should deal with cyber security issues.”
- Reality: Responsibility is most commonly directed towards the IT department. Though this team is often the front line of defence against cyber attacks, it’s incumbent upon the board to consistently challenge IT policies. In addition, cyber security is not just an IT issue. The majority of cyber attacks can be prevented through employee education. In a study by the Ponemon institute, 59% of respondents said they have no visibility into employees’ password practices and 65% admitted they don’t strictly enforce their documented password policies.
- Excuse: “Hackers are only interested in bigger/more important companies than ours” // “Being hacked is inevitable so there’s no point protecting ourselves”
- Reality: Often these excuses are intrinsically connected. The belief that SMBs are somehow exempt from cyberattacks is extremely dangerous. In 2014, the majority of all cyberattacks (60%) were directed at SMBS and approximately half of small businesses that suffer a cyberattack go out of business within six months. Furthermore, it’s important to recognise that cyber security oversight shouldn’t be solely concerned with the prevention of attacks – business continuity plans, public relations and much more are also integral to successful cyber security oversight.
This apparent lack of understanding around cyber threats is exacerbates the risk facing many small businesses. Losing valuable data to a cyber attack can have serious ramifications in and of itself but the knock-on effects such as loss of business and reputational damage can leave companies bankrupt. In 2015, the UK government’s Information Security Breaches Survey found that the average cost of a security breach is between £65,000 and £115,00 and can result in a business being put out of action for up to ten days.
Despite this, 24% of small businesses believe that cyber security is too expensive and a further 22% admit that they ‘don’t know where to start’.
How to protect yourself
Clean your machine: Ensure that all workplace machines are clean and protected from malware, viruses and infections. Install and regularly update antivirus software.
Keep it locked: Secure your data by making passwords long, strong and unique. Use a secure password manager such as 1password if you struggle to remember lots of different passwords.
Educate your employees: This is incredibly important and often the most overlooked. Teach all employees basic security practices and regularly check that they’re adhering to these.
Ensure you’re covered: Cyber Liability insurance protects you against financial loss as a result of the circumnavigation of your IT security systems by a third party. There are numerous levels of policy cover and policy wordings so it’s critical to get the correct cover in relation to your business risks.
For more information please speak to your AT&A account director or contact our office.