Cyber security has long been an important element of business IT support. Once computer literacy became widespread and access to IT systems became something many could gain (with or without authorisation), the potential for rogue actors to gain access to data and systems with ill intent became a problem.

For every organisation, this must be balanced with the benefits of data and systems being more accessible, with the internet providing far more accessibility to information and the potential for easier communication. Developments like the cloud have provided new means of storage.

How Opportunity Brings Risk

However, the reality of IT security has been that every innovation brings some potential risks and vulnerabilities, creating an ongoing battle between IT security experts and hackers.

Indeed, even innovations like anti-viral software can face problems as cybercriminals introduce anti-antivirus bugs or send phishing emails claiming to be from antivirus software providers that end up loading on more viruses.

Whether it is personal and business data theft, denial of service, or extortion through ransomware, the attacks keep coming and the first thing any company should be aware of is that the threat is ever-evolving in both scale and nature.

How Not To Do It By The Book

Every so often, breaches hit the headlines in a big way, such as the hacking attack on the British Library that struck in late October. The institution has recently admitted there was an attack by a ransomware group and now large quantities of personal data from library users are trading on the dark web.

Another big event that has hit a lot of people has been a series of cyber frauds by hackers who had gained access to the Booking.com app.

The BBC has heard from dozens of angry customers who have been unhappy with the response of the firm, which had not taken action to stop crooks from gaining access to the portals of hotels using the app, which had led to them contacting customers for fake payments.

A spokesperson for Booking.com did tell the BBC it is now taking new measures such as “implementing new measures to assure the account security of both our customers and partners, including new security features to lock or block inactive partner admin accounts”, but clearly it has lost the confidence of many customers.

Incidents of this kind can lose companies’ custom directly among those personally affected, but also through reputational damage. It also shows that the development of new customer-facing technology such as apps has provided more avenues for potential vulnerabilities to be exploited.

Why Smaller Firms Are Also Vulnerable

While the British Library and Booking.com are large organisations and are therefore more appealing targets for many hackers, they should also have substantial means to invest in more effective cyber security than a smaller firm like yours.

However, it is also the case that at a smaller scale, it would not take such a large attack to do much damage, incur costs you could ill-afford, lose you money and custom and lead to damaging word-of-mouth publicity. Moreover, if your smaller scale means you have sought to manage a limited budget by cutting spending on IT security, you may be an easier target.

A Steady Threat – But A Real One

Figures released by the government earlier this year suggested the overall scale of detected attacks has been consistent over recent years. In 2022, 39 per cent of businesses identified a cyber attack, the same level as in 2021. This compared to the 46 per cent seen in 2017 and 2020, the joint highest figure of the last five years.

The 2020 situation may be a matter of circumstance, as the pandemic created a number of vulnerabilities hackers would seek to exploit, such as staff working from home using their own devices for lengthy periods in lockdown.

It was also in November of that year that the government launched the National Cyber Force to tackle cybercrime, so it should be hoped that the situation would improve.

The situation before 2020 was a little more ambiguous, given that the percentage of companies spotting cyber attacks was down three per cent to 43 per cent in 2018, before plunging to just 32 per cent in 2019.

That may suggest matters have regressed since 2019, but that is not necessarily down to growing failures of cyber security, complacency, or a lack of spending. In an ongoing battle, it can also reflect the advances made by cybercriminals in developing their attacks.

Your planning should not be based on headline-grabbing incidents that affect large organisations, but on the reality that around four in ten companies are hit by identified cyber attacks (and how many unidentified ones there are can only be guessed at). Security is not, and never has been, only a problem for big firms.