A cyber-security survey carried out by Ipsos Mori has revealed almost half of UK businesses were attacked by cyber criminals in the past 12 months.
The survey commissioned by the UK government’s Department for Culture, Media and Sport found that overall 46% of all UK businesses identified at least one cyber-security breach or attack in the last 12 months – the number of identified attacks rises to two-thirds among medium-sized firms (66%) and large firms (68%).
Although these figures are alarming, cyber-security experts say these figures only account for known breaches.
In reality the examples of cyber attacks might be even higher than figures show.
“This is probably an underestimate if anything. Two reasons for this, firstly, this assumes they even know they have been hit, secondly people are more likely to under-report,” said Anton Grashion, managing director of security practice at software firm Cylance.
“Evidence of our testing when we run a proof of concept with prospective customers is that we almost invariably discover active malware on their systems, so it’s the unconscious acceptance of risk that plagues both large and small businesses.”
Among the 46% of businesses that detected breaches in the last 12 months, Ipsos Mori’s survey found that the average business faced costs of £1,570 as a result.
However, this figure is much higher for the average large firm, at £19,600, though the average medium firm (£3,070) and micro and small firms (£1,380) also incured sizeable costs.
“Many businesses still remain unprepared for a cyber attack because it’s difficult to prepare for something you don’t understand, can’t visualise, and haven’t experienced,” said Paul Edon, director at security firm Tripwire.
“The dynamic nature of cyber attacks often makes it hard to pinpoint a root cause, so executives with a desire to prepare are faced with choices, rather than clear actions to fund.”
The survey found only a quarter (26%) of surveyed companies reported their most disruptive breaches externally to anyone other than a cyber security provider.
The findings suggest that some businesses lack awareness of who to report to, why to report breaches and what reporting achieves.
In addition to not knowing where to report attacks, companies also claim they are unsure of where to obtain advice on how to prevent cyber attacks.
While 58% of businesses have sought information, advice or guidance on the cyber security threats facing their organisations over the past year, only 4% had consulted government or other public sector sources such as the police or regulators.
“British business need to realise there is an entire global cyber criminal economy that out earns the illegal drug industry in terms of revenue.
“Cyber programs need to wake up and adapt into a detect and response approach that places equal investments in prevention as it does detection of hackers,” said Paul Calatayud, chief technology officer at security company FireMon.