Underfunded and under attack: why UK business aren’t spending enough on cybersecurity

By Mark Hill CIO at niche IT staffing firm Mason Frank

There’s barely a sliver of our lives that hasn’t been touched by digital transformation.The country’s ability to function effectively is becoming ever more reliant on technology, and that increasing dependency is pushing up the stakes when it comes to cybersecurity.

Mark Hill
Mark Hill

Every day, we generate a gargantuan amount of new data. By 2025, the total amount of data in the world is expected to reach 175 zettabytes—a near-impossible figure to wrap your head around, but to put it into context, today that collective sum is around 33ZB. The more data we generate, the greater the risk to our digital security. Every new piece of data is something else that can be leaked, stolen, or held to ransom.

As the amount of data in the world grows, so does the threat of its misuse—attacks on organisations in the UKare becoming not just more frequent but also more destructive.

According to The National Cyber Security Centre, it’s a miracle that the country hasn’t yet seen what it calls a Category 1 cyber emergency, and it’s only a matter of time before that luck runs out. Categorised as an attack that results in “sustained disruption of UK essential services”, an incident of this level would cause extreme economic, social, and even physical damage. We can’t even begin to imagine what an attack of this magnitude would look like; the 217 WannaCry strike on the NHS that threw countless health services into chaos was only a Category 2.

WannaCry are beginning to push organisations into action. The NHS has dedicated an additional £150m to cybersecurity spending over the next three years, in an attempt to head off another such event. These plans include rolling out Windows 10 software across the NHS, investing £21m in firewalls and network infrastructure, and equipping regulators with new powers to scrutinise digital security standards.

While these robust responses are good news, they are still just that: responses. And prevention is always better than cure, especially when the consequences of a major attack could be life-threatening.

An evolving threat

There’s a bigger problem with the government’s plan too. According to cybersecurity experts, they’re trying to put a finite price on an unquantifiable, and ever-evolving, problem. Determining the budget before the strategy, they say, is too limiting, and fails to address security issues in a flexible, data-driven way.

Assigning a budget and trying to fit security measures within those constraints simply doesn’t account for the rapid development and volatility of cybercrime.

Cybersecurity isn’t a destination, or a box that can be ticked. The goalposts are constantly moving, and businesses and governments alike must make digital safety a perpetual priority; even if that means dealing with fluctuating strategies and resources.

For a growing number of criminals around the world, cybercrime is a full-time job. Organised groups of hackers and extorters are hard at work developing new techniques that are more devastating and more difficult to protect against. Advanced phishing methods, attacks on IoT devices like thermostats, TVs, and cameras, and malware distributed through mobile apps are becoming increasingly prevalent. Cybercriminals must evolve to survive, and so, in turn, do their potential victims.

Underspending and underprepared

Things are looking up in the UK—53% of businesses have increased their cybersecurity spending since 2016—but our expenditure still falls short in comparison to other countries.

A recent study of businesses of all sizes discovered that companies in the UK had the lowest cybersecurity budgets of all seven countries surveyed.Average spending came in at less than £690,000 on digital security, significantly lower than the£1.12m cross-country average.

Building a security-first mindset

In the scramble to digitally overhaul their processes, many businesses are failing to take a security-led approach to transformation, bolting on security measures at the 11th hour instead of baking them into their implementations.

Leasing infrastructure from cloud vendors, hosting data online, and enabling greater connectivity between devices can be revolutionary for an organisation, but if proper measures aren’t taken, companies can find themselves exposed to unprecedented threats.

The biggest risk that comes with digital transformation is that a business’ surface area is now much larger; data is everywhere, and the scope for an attack grows exponentially.

Increased accessibility and a business-wide IoT means that focus needs to shift from traditional security thinking, concentrated on the data centre, to the data itself. Identity management, encryption, and multi-factor authentication must become a priority.

Too many companies think of security as the last stage of transformation—they build the house, and then add the fence. But security is not a cage that can be dropped over your existing operations. There is no switch you can flip to electrify the fences. Security needs to be knitted into the fabric of your culture.

To achieve, UK businesses need to start tackling threats to their security with more intensity. And while forking out more money on security software and precautionary measures like penetration testing is a good start, investing resource in security is about more than tech.

The number one threat to cybersecurity: unawareness

The greatest threat to an organisation’s security is not a masked hacker in a basement on the other side of the world—more than 95% of security incidents are the result of user error.

Still, the majority of staff within any business consider guarding against cyber threats to be the sole remit of the IT department. Even the smartest security systems on the planet can be undone when users are unaware of just how risky their everyday behaviour—like clicking a link in an email they believe to be from a colleague—can be.

Tackling this laissez-faire attitude to security is the most significant thing a company can do to protect itself in the face of advancing security threats.Investments in training, internal messaging, and positioning cybersecurity as an issue that directly and personally affects employees is vital.

With cyber threats constantly shifting, businesses need to be reactive in the way they educate their employees.Having staff read and sign code of conduct document once a year isn’t enough;it’s just as important to “patch” people as it is software.

Businesses should regularly circulate concise and informative updates, ensuring staff are aware of any new trends or threats to look out for. Users should understand that cyber threats come from all angles, on all fronts; suspicion should now be their default.

The battle against cyber threats will not let up. It’s time for businesses to invest in their defences, or face paying with more than money.