Regular readers of the Broadway ‘blog will recall that I wrote an article last month about the Government’s intended response to the growing threat of cyber attacks on the public and private sectors.
In the process of revealing more detail about the Cyber Security and Resilience Bill, which will be presented to parliament later this year, the Secretary of State for Science, Innovation, and Technology, Peter Kyle, described how the cyber threat faced by the UK had “grown more intense, frequent, and sophisticated“.
Sceptical souls who treated that statement as a mere piece of political hyperbole didn’t have to wait too long for proof of what Mr Kyle meant.
Within weeks, three of the UK’s most familiar retail brands revealed that they had fallen foul of digital disruption.
Marks & Spencer suspended e-commerce orders and shelves at some of its stores were left empty after it was targeted on April 25th.
The retailer has subsequently admitted that some customers’ personal information, including addresses and telephone numbers, was stolen in the incident.
Less than a week later, the Co-op and Harrods disclosed that they too had been affected.
Whilst both claimed to have limited the damage wrought by the hackers, they conceded that they had to shut down part of their systems in order to prevent criminals from accessing sensitive data.
Meanwhile, Marks & Spencer Chief Executive Stuart Machin has described how the business is still “working around the clock to get things back to normal”.
In advance of his speech to a conference in Manchester about cyber security, the Chancellor of the Duchy of Lancaster, Pat McFadden, said that the recent spate of incidents should be regarded as “a wake-up call” for business.
“In a world where the cybercriminals targeting us are relentless in their pursuit of profit”, he added, “companies must treat cybersecurity as an absolute priority”.
As I have explained before, Broadway’s dealings with both corporate and private clients indicate that is very much the case.
In fact, every single conversation with business clients working in professional and financial services, logistics, retail, manufacturing and sport features at least some element about how best to anticipate or react to cybercrime.
There are those who might point to the most recent figures from the Information Commissioner’s Office (ICO), as showing that only one quarter of data breaches are the result of a cyber intrusion.
That is true but those same statistics present patterns which should not incline anyone to rest easily.
The number of cyber attacks of all types (brute force, ‘denial of service’, ransomware, malware and phishing) rose by more than 95 per cent between 2019 and last year.
Although the number of breaches stemming from human error appeared to be coming under control – down one-third between 2019 and 2022 – it has risen by a similar proportion in the two years since.
Whatever the specific factors (e-mails being sent to the wrong recipients or the incorrect verbal disclosure of sensitive material), the picture is one of a guard being dropped at a time when the Government is increasingly alive to the cyber threat.
Whether the fault of a hack or a staff member, a data breach remains a breach in corporate defences.
Having such offences registered in copious news coverage arguably has its merits.
Although it is unfortunate for those organisations involved, they serve as a reminder to everyone else of the potential financial, organisational and reputational risks which arise when something like this happens.
In my opinion, it is disappointing to find that there are people who do not take the cyber threat seriously until there is another major incident. Awareness is raised, but, for some, no meaningful action follows.
It literally pays to at least speak to an expert about whether cyber cover – and what type of insurance – is right for you.
Some large organisations have balance sheets which are big enough to cope with some, if not all, of the risk that they might face. The effects of an attack, though, can be existential for smaller firms.
I feel that the Government is right to portray the latest attacks on retailers as “a wake-up call”.
The question is how many such incidents are really required before business avoids sleepwalking into a cyber nightmare?
Written by Matin Lilley, Director of Corporate, Broadway Insurance Brokers