Greater connectivity has enabled quicker and more efficient business – and more effective attacks. Cybersecurity is a need to have, not a nice to have, though apparently many companies are not prepared for what may be coming their way.
“There are two types of companies: those who have been hacked and those who don’t yet know they have been hacked.” John Chambers, former CEO, CISCO
According to the Cisco 2017 Annual Cybersecurity Report, ransomware and cyber-attacks are growing at a yearly rate of 350%. In the UK alone, cyber-attacks such as Wannacry and NotPetya cost businesses £29.1bn in 2016.
Given the economic impact and potential consequences of cyber-attacks, the lack of focus on and investment in cybersecurity deserves considerable attention. The average cost of a data breach has been estimated at $3.62 million USD, which equates to an average of $141 USD per lost or stolen record1.
No plan yet
Nexia International surveyed 350 people from organisations around the world on their cyber-preparedness.
Among the key observations:
- Only 39% of respondents consider cybersecurity a top concern.
- 20% of respondents have not conducted a cybersecurity assessment, and only 25% of respondents provide cybersecurity training to employees at least annually.
- 20% of respondents who are required to have a cybersecurity program based on governmental, industry or customer requirements do not currently have a cybersecurity program.
- Limited time and budget along with a lack of qualified staff were the key reasons cited for not having an effective cybersecurity program.
However, international regulations are providing fresh impetus for companies to reconsider their approach to cybersecurity.
For example, the EU’s General Data Protection Regulation (GDPR), which will go live from May 2018, imposes very strict criteria on the holding of personal data. Fines in the event of a breach and demonstrated lack of compliance could result in €20 million or 4% of corporate revenues from the prior year, whichever is higher.
What you can do about it
Although cybersecurity may seem prohibitive from a cost perspective, the risk run by doing nothing is far greater. Here are some things to consider when approaching your own cybersecurity:
- Good housekeeping – you need to ensure that the basics are being taken care of from an IT perspective. Attacks can find and exploit weaknesses in your operating system, so you don’t want to be caught out.
- Segregation of duties – some cyber-attacks require access to a business’s bank account – segregation of duties between those initiating transactions and those authorising them are key.
- Training – for responsibility to be shared effectively, your people must be trained appropriately. Give them the tools they need to keep your company safe.
- Protect valuable data – there’s only so much that your people can protect by themselves. Keeping any valuable data out of access or requiring high permission levels goes a long way to ensuring that it is safe.
- Culture – cybersecurity may seem daunting, but it’s much easier to implement an effective system if everybody’s on the same page.
- Insurance – regardless of how good your cybersecurity is, attacks are a likely occurrence. Be aware of what you are protected for ahead of time – it will help you quickly assess the scale of any damage.
The above is by no means a comprehensive list; hackers and their methods are constantly evolving. However, this should be a good start in helping you prepare a proactive response to cyber-attacks of the future.
2017 Cost of a Data Breach Study – Global Overview. Benchmark research sponsored by IBM Security and independently conducted by Ponemon Institute LLC, June 2017.
By necessity, this briefing can only provide a short overview and it is essential to seek professional advice before applying the contents of this article. This briefing does not constitute advice nor a recommendation relating to the acquisition or disposal of investments. No responsibility can be taken for any loss arising from action taken or refrained from on the basis of this publication. Details correct at time of writing.
This article was previously published on Smith & Williamson prior to the launch of Evelyn Partners.