The odds are terrible: According to the British Chambers of Commerce (BCC), one in five businesses in the United Kingdom have fallen victim to cyber-attacks in the past year. While that data is specific to the U.K., it seems reasonable to assume that the numbers for other first-world countries would be somewhat similar.
The BCC surveyed 1,285 business people in the U.K. in January 2017. Of the businesses surveyed, 96% were small or mid-sized businesses. About 22% operate in the manufacturing sector, and 78% operate in the services sector.
And all are woefully unprepared to defend themselves against direct target attacks – and against those which are totally generic. It’s like a car thief walking through a parking lot looking to see which vehicles are unlocked: There’s nothing personal, but if your door is open, your car belongs to the crook. Similarly, if some small business’s employees are click on a phishing email and end up victims of ransomware, well, their Bitcoins are as good as gold.
What can be done? Training, of course, to help ensure that employees (including executives) don’t welcome cybercriminals in by responding to phishing emails, malicious website ads, and social-media scams. Technology, which could be products like anti-malware software installed on endpoints, as well as services offered by internet service providers and security specialty firms.
Indeed, the BCC survey indicated that 63% of businesses are reliant on IT providers to resolve issues after an attack,
Needed: A formal process for cybersecurity
Every company should have formal processes for implementing cybersecurity, including evaluating systems, describing activities, testing those policies, and authorizing action. After all, in this area, businesses can’t afford to wing it, thinking, “if something happens, we’ll figure out what to do.” In many cases, without the proper technology, a breach may not be discovered for months or years – or ever. At least not until the lawsuits begin.
Indeed, running without cybersecurity accreditations is like riding a bicycle in a rainstorm. Without a helmet. In heavy traffic. At night. A disaster is bound to happen sooner or later: That’s especially true when businesses are facing off against professional hackers. And when they are stumbled across as juicy victims by script-kiddies who can launch a thousand variations of Ransomware-as-a-Service with a single keystroke.
As one would expect, small and very small businesses are extremely deficient in terms of having cybersecurity plans. According to the BCC, in the U.K. only 10% of one-person businesses and 15% of those with 1-4 employees have any formal cybersecurity accreditations. Contrast that with businesses with more than 100 employees: 47% with more than 100 employees) have formal plans.
While a CEO may want to focus on his/her primary business, in reality, it’s irresponsible to neglect cybersecurity planning. Indeed, it’s also not good for long-term business success. According to the BCC study, 21% of businesses believe the threat of cyber-crime is preventing their company from growing. And of the businesses that do have cybersecurity accreditations, half (49%) believe it gives their business a competitive advantage over rival companies, and a third (33%) consider it important in creating a more secure environment when trading with other businesses.
Again, one in five businesses in the United Kingdom have fallen victim to cyber-attacks in the past year. That number is probably comparable around the world. There are leading-edge service providers and software companies ready to help reduce that terrible statistic. With more and more hackers, including state-sponsored agents, becoming involved, the stakes are high. Fortunately, the tech industry is up to the challenge.