According to the UK government's Cyber Security Breaches Survey 2022, around four in ten businesses reported cyber security breaches or attacks over the course of the previous 12 months. This varied greatly by business size and sector, increasing to 47% in the administration and real estate sectors, 54% for financial services firms and 59% and 72% for medium and large sized firms respectively.
Companies that suffer personal data breaches may face investigation by the Information Commissioner's Office (ICO), which can impose fines up to £17.5m or 4% of a company's annual global turnover, whichever is higher. In October 2022, the ICO fined British construction company, Interserve Group Limited, £4.4m for failing to prevent a cyber attack that enabled hackers to steal the personal and financial information of up to 113,000 employees.
According to the ICO, Interserve's own complacency was responsible for the breach, with outdated software systems and protocols as well as inadequate staff training and risk assessments all listed as contributing factors.
Upon issuing the fine, the UK Information Commissioner said that, "the biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office." His statement is a warning shot to directors to prioritise cyber security and get their houses in order.
As economic distress and geopolitical unrest are likely to increase the threat posed by cyber breaches in 2023, directors should heed the Information Commissioner's warning and consider proactive measures to mitigate this risk.
What we are expecting to see in 2023
Increased cyber breaches in the supply chain
Few major businesses will have escaped some form of cyber attack or data breach, which can precipitate the breakdown of trading relationships.
Following an increase in supply chain attacks, the National Cyber Security Centre issued fresh guidance in October 2022 to help organisations assess the cyber security of their supply chains. This builds on its previously published '10 Steps to Cyber Security', which includes measures on engagement and training, asset management, architecture and configuration, vulnerability management, data security, logging and monitoring, incident management and supply chain security. However, in response to the government's 2022 survey, only 49% of businesses said that they have implemented measures in at least 5 of these areas.
Supply chains offer additional vulnerabilities for cyber attackers to exploit and present an additional entry point for criminals to infiltrate an organisation. Yet, despite this risk, only 13% of businesses said they assessed the hazards posed by their immediate suppliers during the procurement process, and less than one in ten said they monitor the risks posed by their supply chain on an ongoing basis.
Businesses are only as secure as their weakest supplier and this is something directors must recognise if they are to ensure their organisation's continued resilience in 2023. Read more in our predictions for supply chains.
Cyber security failings associated with accelerated digital transformation
Whilst most businesses have some sort of digital footprint – through the use of network-connected devices, online ordering systems and payments, and storing customer data electronically – the Covid-19 pandemic facilitated a boom in IT solutions, which served to fast-track the uptake in digital technologies.
This was a priority for businesses determined to survive in the 'new normal'. Indeed, business continuity became the number one priority for many companies, with other interests – including cyber security – moving further down their commercial agenda.
Many businesses continue to deal with the impact of the pandemic with ongoing insurance claims, business restructuring and the withdrawal of government financial support remaining a focus for directors. As a result, many businesses have yet to properly assess their increased risk profile created by accelerated digital transformation. This includes risks within the company such as that posed by IT misuse by outgoing employees.
As well as an increased use of technology, digital transformation usually results in a larger supply chain – both of which increase the opportunities available to cyber criminals to mount an attack. Directors should prioritise the implementation of adequate security protocols to manage the risk and reduce exposure to cyber attacks.
Steps you can take to manage the risks
- Ensure cyber security is a priority at board level. Appoint a board member to be responsible for cyber security or hire an expert to effectively and regularly communicate the issues at board level, ensuring it is prioritised alongside other business demands.
- Conduct risk assessments to establish the personal data risks in your business, identify the potential consequences, and put in place suitable processes to mitigate risk.
- Prepare a crisis plan and put together a crisis team so that your business is well prepared to deal quickly with any breach incident.
- Increase staff training. Providing training to help staff recognise fraudulent emails, improve vigilance and to recognise the need for care being taken when handling personal data is imperative to reduce potential cyber risks and data breaches.
- Review supply chain risk. Ensure cyber risk is included in your procurement process and ensure that your suppliers' cyber risk strategies adhere to the standards set by your business. Communicate with your suppliers on a regular basis and ensure cyber risks are on the agenda.
The final word
Ongoing economic pressures will make 2023 a challenging year for many organisations. Whilst business continuity will remain at the top of many business agendas, the rising level of criminals looking to exploit vulnerabilities will increase the need for strong cybersecurity defences. Those companies that ensure cyber security is a priority at board level, prioritise training, regularly assess their risk profile and take a proactive approach to cyber defence, will be better placed to reduce data security breaches, intercept attacks, protect their corporate reputation and mitigate costly financial penalties.