Editorial

Economic worries see small firms put security on back burner

The government’s Cybersecurity Breaches Survey 2023 also indicates firms are downplaying cost of their data breaches.

Posted 20 April 2023 by Christine Horton


Smaller businesses are deprioritising cybersecurity, according to the Government Cyber Breaches Survey 2023.

The report said this may be because senior managers in smaller organisations view cybersecurity as less of a priority in the current economic climate than in previous years. As such, they are undertaking less monitoring and logging of breaches or attacks.

Almost a third (32 percent) of businesses and 24 percent of charities overall recall any breaches or attacks from the last 12 months. This is much higher for medium businesses (59 percent), large businesses (69 percent) and high-income charities with £500,000 or more in annual income (56 percent).

However, this is a decrease from 39 percent of businesses and 30 percent of charities in 2022. The drop is driven by smaller organisations – the results for medium and large businesses, and high-income charities, remain at similar levels to last year.

John Davis, director UK & Ireland at SANS Institute EMEA, noted that businesses are battling “enormous pressures in today’s climate, amid inflation and supply chain issues” – but hackers are looking to exploit this.

“Defending against a vast host of new attack techniques is more than tricky for businesses, especially those of small size without a security team – let alone even an IT team,” he said.

“The golden rule to remember is that prevention is always better than cure. Even the smallest of security steps can make a difference…Power comes through knowledge about how cyberattacks could happen. This is why cybersecurity training shouldn’t just be a tick-in-the-box exercise, but an ongoing journey of education for us all.”

Companies downplaying the cost of a breach?

Elsewhere, the government reported that the single most disruptive breach from the last 12 months cost each business, of any size, an average of approximately £1,100. For medium and large businesses, this was approximately £4,960. For charities, it was approximately £530.

However, these figures are way off the mark, according to Richard Staynings, chief security strategist at IoT cyber firm Cylera. He said the most disruptive breach being approximately £1,100 was “off by an order of at least one or two magnitudes.”

He said: “Organisations aren’t truly counting the cost of a cyber breach. Firstly, there’s the cost of the legal and security incidence response teams, the forensic consulting, the PR and any other experts you need to bring in to handle the impact of the incident. Then, you have the loss of business due to your data and system having been destroyed. It can take two to three weeks to restore data but we have also seen situations where it has taken longer than six months after a breach before systems, devices and data is restored. Then there are the regulatory fines and punitive damages for data breaches.

“Taking all this into account, you are looking at the cost of a cyberattack being closer to a few million pounds and this doesn’t take into consideration any ransomware demand, if you pay it, which is often in the tens of thousands of pounds alone.”

If this story is important to you, then you should be attending our virtual Think Cybersecurity for Government conference on April 27th.