The numbers are eye-watering. According to a just-published report from the Centre for Economics and Business Research (CEBR), cyber attacks are costing UK firms £34 billion – split roughly 50-50 between revenue and intellectual property losses (£18bn) and subsequent increased IT spending (£16bn).
What’s more, it points out, those numbers are set to rise. Citing a threat assessment from think tank the Royal United Services Institute, it expects attacks carried out in the future to cause much more damage. Not necessarily because the frequency of attacks will increase, but because they are likely to be conducted in a more targeted manner, by exploiting better intelligence.
And why? Financial crime is one obvious reason. But, points out the CEBR, 34% of cybercrime in UK businesses is tied to intellectual property theft – a risk to which UK businesses seem relatively oblivious, seeing it as far less of a concern than do their United States counterparts.
Perhaps predictably, the CEBR report is gaining a lot of traction.
Like the Detica report, produced in partnership with the UK Cabinet Office’s Office of Cyber Security and Information Assurance a year or so back, it is well-researched, authoritative, and – in contrast to the slew of US-based research that is often trotted out – refreshingly UK-centric in its scope.
If one had to sum it up in a single word, there’s a good case to be made for that word to be ‘sobering’.
And yet, it’s clear that UK businesses often fail to approach IT security with an appropriate level of seriousness.
For proof, consider UK businesses’ top cybersecurity concern: breach costs – in other words, the direct costs of dealing with a security breach, and cleaning up after it.
The bigger picture
That isn’t to trivialise such costs. They are cash costs, payable now, and will be responsible for a direct hit on this year’s P&L. Of course businesses are right to be concerned.
But as a top, over-arching, number #1 concern? Surely not.
Instead, it seems prudent to attach greater concern to longer-lasting impacts of an IT security breach – reputational damage, longer-term damage to internal productivity and morale, theft of intellectual property, and any legal consequences.
Businesses accepting consumer payments in the form of debit and credit card payments, for instance, ultimately run the risk of sanctions from processing banks and card-issuing companies – sanctions which can, in the extreme, impose considerable longer-term costs and damage to a business model.
Take a risk-based approach
So what to do? Our view, at ACSN, is to recommend a risk-based approach to dealing with these various threats and consequences.
Take intellectual property theft, for instance.
As the CEBR confirm, it’s of a much bigger concern to some industries than others – a point endorsed by the Detica/Cabinet Office report, of course.
So the prominence given to putting barriers in place to deter intellectual property theft will logically need to vary from industry to industry.
Likewise with brand damage, PCI concerns, and the forthcoming European Union General Data Protection Directive: different industries, and different companies, will be affected to different extents.
And the sensible approach is to take these differences into account, and formulate an approach to IT security that is the right one for your business, and deals with the threats actually faced by your business.
The herd can be wrong
That said, this isn’t always an approach that finds favour.
Some businesses prefer to take a ‘cookie-cutter’ checklist-based approach to IT security, following the herd and doing exactly what their peers and neighbours are doing.
But they, presumably, are disproportionately represented among those UK businesses reckoned by the CEBR to be ruing cyberattack costs of £34 billion.
For any IT security matters concerning your infrastructure, please call ACSN on 0845 519 294 at any time.