Professional Firms Insight: UK government shines spotlight on SME cyber security
Our economy, society and individual lives have been transformed by digital technologies. They have enabled improvements in science, logistics, finance, communications and a whole range of other essential activities. As a consequence, everyone has become dependent on digital technologies, which leads to very high expectations of how reliable and trustworthy these technologies will be.
Now more than ever, as professional firms embrace technology in response to the Coronavirus pandemic, they need to ensure that their systems are secure. With the ongoing rise in volume and consequences of cyber crime across the world, the UK government recognises that cyber resilience within UK businesses is a crucial supporting pillar for the UK’s technology-dependent economy.
Verizon’s 2020 Data Breach Investigation Report identified that professional services firms are regularly targeted by financially motivated attackers who look to steal user account credentials to gain access to firms’ web-facing services, and ultimately any valuable information. Social engineering in the form of phishing and pretexting is a common tactic used to obtain credentials from staff and clients.
The industry also tends to suffer from ‘denial of service’ attacks regularly. Of the 7,463 security incidents Verizon investigated within this sector globally, 326 resulted directly in disclosure of sensitive or personal data.
Despite this statistic, there still remains a lack of a strong commercial rationale stemming from an inability to demonstrate a compelling business case for return on investment. Furthermore, there are limited external market drivers to compel firms to take the necessary action.
In practice, this means that there are potentially scores of organisations, particularly small to mid-size firms that are not fully aware of their cyber security risks and are therefore ripe for the picking by cyber criminals. Smaller firms that work closely with larger firms and government are fast becoming the go-to ‘soft target’ for attackers looking to get past the larger organisation’s security measures. According to the Cyber Security Breaches Survey 2019, the average direct and recovery cost of a breach can total £9,730 for an SME .
Commercial drivers for investment in cyber are broadly acknowledged to be weak for most firms, especially smaller ones. The availability of skilled cyber security resource is also at a premium and out of reach for most practices, which means that decisions about cyber security are often driven by fear, regulatory or compliance requirements, client or customer demands or direct experience of having been breached. However, 67% of costs incurred following a breach will be incurred within the first year .
While larger organisations may have more sophisticated and mature approaches built around cyber risk, they are still susceptible to attacks. The Cyber Security Breaches Survey states that 32% of UK businesses experienced cyber security breaches or attacks in the last 12 months with the average direct cost of a breach reaching £17,500 for large businesses . In addition to the cost implication of a breach, firms risk a disruption to day-to-day business.
Actions to minimise risk
Moore Kingston Smith has worked closely alongside the Institute of Chartered Accountants in England and Wales (ICAEW) and other professional services firms as well as with the UK Department for Digital, Culture, Media and Sport (DCMS). The DCMS launched a review into which additional incentives and regulation would effectively overcome barriers to good cyber risk management and improve the UK economy’s cyber resilience, without adding any unnecessary burden.
One of the steps towards enabling businesses to be more resilient is through the introduction of the Cyber Essentials scheme and by providing good practice advice through the National Cyber Security Centre, part of Government Communication Headquarters (GCHQ). A notable case was the “Wannacry” cyber attack in 2017 that saw a major ransomware outbreak that took down many organisations, including the NHS. However, companies that maintained the Cyber Essentials certificate were not affected by this attack.
The ICAEW highlighted that external audit and assurance can play an important role in building confidence in a business’s cyber resilience. Building in assurance around the effectiveness of an organisation’s cyber security controls as part of the statutory audit may be one of the regulatory levers that can drive a step change in this area.
How we can help
Our team of cyber security specialists can help you identify your cyber security risks so you can take the steps necessary to become more cyber resilient.
We review what area of your firm is at risk, who the threats are and which assets need to be protected. In addition to this, we can help shape your firm’s risk management strategy.
If you would like to discuss your firm’s cyber security capabilities, please speak to Becky Shields.