Big UK businesses are targeted by cyber attacks more heavily, but all need to improve cyber security with one in five UK firms falling victim in the past 12 months.
Out of the 20% of UK businesses hit by cyber attacks in the past year, 42% were companies with more than 100 staff, compared with 18% with fewer than 99 employees, according to the survey of more than 1,200 businesses by the British Chambers of Commerce (BCC).
The results indicate that 63% of businesses are reliant on IT providers to resolve issues after an attack, compared with just 12% of banks and financial institutions and 2% of police and law enforcement organisations.
The findings show that while 21% of businesses believe the threat of cyber crime is preventing their company from growing, only a quarter of businesses have cyber security accreditations in place, such as the UK governmentís Cyber Essentials Scheme or ISO 27001.
Smaller businesses are far less likely to have accreditation, with 10% of sole traders and 15% of those with 1 to 4 employees having accreditations, compared with 47% of businesses with more than 100 employees.
Of the businesses that do have accreditations, nearly half believe it gives their business a competitive advantage over rival companies, and a third consider it important in creating a more secure environment when trading with other businesses.
Businesses that use personal data should be mindful that they will have to comply with the General Data Protection Regulation (GDPR) from 25 May 2018.
In October 2016, the Payment Card Industry Security Standards Council (PCI SSC) warned that UK businesses could face up to £122 billion in penalties for data breaches under the GDPR, which will introduce fines for groups of companies of up to Ä20m or 4% of annual worldwide turnover, whichever is greater ñ far exceeding the current maximum of £500,000.
Using UK data breach statistics for 2015 and a maximum fine of 4% of global turnover, the fines paid to the European regulator could see a near 90-fold increase, from £1.4bn in 2015 to £122bn, the PCI SSC calculated.
The cyber threat to UK business is significant and growing, according to a joint report by the UK National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) published in March 2017.
However, the report said UK businesses should not be defeatist. There are ways of mitigating attacks, the report said, adding that the NCSC is working with government agencies, tech companies and industry to fix some lower-level threats automatically and at scale to enable information security professionals to focus on the most damaging threats.
The report also said businesses should improve basic defences. Cyber attack is inevitable, the report said, adding that even basic cyber defences can protect against most of the attacks affecting businesses and that weak defences are likely to invite repeated attacks.
Businesses should handle all data assets as potential targets because there is a market value for all data that can be exploited by criminals, the report said. It also recommended promoting awareness of stronger basic ìcyber hygieneî to customers and employees.
Businesses should be more open to sharing knowledge and expertise, as all businesses can benefit from doing so in a secure, confidential and timely manner through services such as the Cyber-security Information Sharing Partnership (CiSP), the report said.
Developing cyber skills and awareness was another key piece of advice. Partnership work between law enforcement and industry, the report said, has led to the improvement of cyber knowledge for the wider public and industry.
Finally, businesses should report the crime to Action Fraud. If cyber attacks are reported, the report said law enforcement agencies can investigate, arrests can be made and preventative actions can be taken.