A Government study has shown that almost half (46%) of UK firms experienced some form of cyberattack during 2016. More than two thirds (68%) of medium and large firms were hit by such an attack.

Common forms of cyberattack reported by firms included fraudulent emails, viruses, malware and theft of employees’ identity.

The average cost to firms of each incident was £1,570, rising to £19,600 when only attacks affecting larger firms are considered.

In 2015, only 24% of firms reported a cyberattack.

The Government surveyed some 1,523 firms, and the study also found that many firms, both large and small, have still not taken some basic measures that could reduce the risk of an attack. Only around one third of firms have a formal cybersecurity risk policy, and only 29% have appointed a member of their board to be responsible for cybersecurity issues.

Ciaran Martin, the chief executive of the National Cyber Security Centre, commented:

“The majority of successful cyberattacks are not that sophisticated but can cause serious commercial damage. By getting the basic defences right, businesses of every size can protect their reputation, finances and operating capabilities.”

Minister for the Digital Economy, Ed Vaizey MP, said:

“Too many firms are losing money, data and consumer confidence with the vast number of cyberattacks. It’s absolutely crucial businesses are secure and can protect data. As a minimum, companies should take action by adopting the Cyber Essentials scheme which will help them protect themselves.”

The Cyber Essentials scheme referred to by the Minister allows firms to apply for a ‘badge’ which certifies that they have sensible cybersecurity procedures in place.

The Government study covered firms in all business sectors. Previous research looking specifically at the financial services industry revealed that the number of cyberattacks had almost tripled from 2015 to 2016.

Addressing the Financial Information Security Network in April 2017, Nausicaa Delfas, Executive Director at the Financial Conduct Authority (FCA), urged firms to “get the basics right”. The FCA director said that “many organisations believe that they are getting the basics right, but the reality is often not the case.”

She urged firms “to carry out robust and comprehensive risk assessments,” and to implement the Government’s ‘10 steps to cyber security’. Ms Delfas concluded her speech by saying “we have to expect the unexpected.”

The ‘10 steps to cyber security’ referred to by Ms Delfas are a series of basic steps laid down by the National Cyber Security Centre. They give advice to firms on what they can do regarding:

• Risk management
• Network security
• User education and awareness
• Malware prevention
• Removable media controls
• Secure configuration
• Managing user privileges
• Incident management
• Monitoring
• Home and mobile working

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.