We explore why mid-market companies need to take the threat of cyber crime more seriously and what role the board can play in reducing the impact of an attack
As a mid-market CEO, you may hope your business is below the radar for cyber crime, perhaps calculating that being smaller in scale and having a lower profile than larger companies offers a degree of immunity. Unfortunately, it doesn’t.
The latest government figures show that six in 10 mid-market companies have experienced a cyber security breach or attack in the last 12 months. That’s almost identical to the proportion of large companies experiencing an attack. Playing in the mid-market is no reason to feel safer .
Any business can be a target
If you find it hard to believe that your company is a target, consider the alarming growth in volume cyber-crime. Given the potential profit in cyber crime, estimated at $1.5 billion worldwide in 2018, criminal groups are using a range of techniques to perform mass analysis of potential targets in an increasingly industrialised fashion, including:
- using automatic vulnerability identification software to trawl IP addresses and identify unsecured or out-of-date systems with ease
- using available security credentials (usernames and passwords) to either try to login directly, undertake ‘credential stuffing’ attacks to try to gain access to customer accounts through online portals or to make phishing attacks more believable – our cyber consulting team can currently identify over 38 billion unique credentials being actively marketed for sale by cyber criminals
- using automated open source ‘scraping’ tools to identify information on key individuals, companies and news events that can be used to help target phishing campaigns and other social engineering approaches to help steal information, conduct invoice fraud or introduce malware
It’s the equivalent of thieves driving down a street to see who’s left their door open. Criminals exploit the vulnerable networks they identify or sell the list of promising targets on to others eager to exploit the opportunity. If your defences are not up to scratch, you could already be on a list.
The reality is that it’s not the size or profile of a business that attracts the interest of cyber criminals. They have increasingly sophisticated targeting tools and are using these to launch an increasing volume of attacks against anyone who looks like they have weak defences. It’s not personal – it’s just business.
Counting the cost
The financial impact of a successful attack is serious. In our recent research, more than half of the companies reported losses equivalent to between 3% and 10% of revenue following a cyber breach. For the businesses impacted most severely, losses were up to 25% of revenue. It’s easy to see why the total cost of cyber security breaches to UK mid-market businesses has reached at least £30 billion, in our estimation, over the last 12 months.
The impact of a successful attack is not always immediate. Knock on impacts to brand, customer confidence, supply chain interruption and business operation can lead to a much more significant impact on the bottom line and have led to several companies folding.
For example, Colorado Timberline, a company with more than 200 employees, was closed down in late 2017 following a string of cyber attacks, including a mass ransomware attack.
A key role for the board
What can business leaders do to manage the risk and minimise the impact of cyber crime? Here are three priorities for action.
1 Review cyber security risks and management at board level
Scheduling a regular and formal review at board level puts cyber security on the board agenda and ensures the issue receives the focus and investment it requires. This doesn’t necessarily need major investment in new technologies - often the right policies, training and behaviours can lead to significant reduction in risk. Board members can make a difference by understanding the issues and asking the right questions. There’s no need for technical expertise. Our research shows that companies that review cyber security at board level suffer lower financial losses in the event of a successful attack.
2 Make cyber security the responsibility of a specific board member
Making cyber security the responsibility of a specific board member helps stop cyber risk management slipping through the net. The designated board member needn’t necessarily be the chief information officer or chief technology officer. Cyber risk is a business risk that needs to be managed as part of business as usual. Our research shows that companies that appoint a specific board member suffer lower average losses in the event of successful attack than those that don’t.
3 Check your business has an incident response plan (six in ten mid-market companies don’t)
In responding to a cyber incident, a well-rehearsed plan of action can help business leaders manage a highly stressful situation quickly and more effectively, minimising business interruption and negative impact. The time point is important. If an organisation is haemorrhaging data or customers are providing a running commentary on service failure on social media, minutes and even seconds count.
Our research shows that just four in 10 mid-market companies have an incident response plan in place, and those that do experience lower losses in the event of a successful attack than those that don’t.