‘Extremely scary stuff’: Cyber security experts warn on threat to businesses

The Yorkshire Post’s sister title Insider brought together a group of cyber security experts and dealmakers to assess how serious the cyber threat to businesses was: the consensus was that it is bad, and that it is growing in both scale and sophistication - yet the vast majority of companies treat security as a cost rather than a critical investment, even though an attack is a matter of “when” rather than “if”.

Cybercrime, according to official statistics, is already huge and growing at a rapid rate in both scale and sophistication.

The number of daily attacks now tops 21,000. Almost half of UK businesses have suffered an attack in the past five years, with a typical ransomware demand - the most common form of cybercrime - running between £100,000-and £200,000. Over that time, cyber attacks have cost UK businesses an estimated £44bn. Increasingly, SMEs are being hit: businesses employing between 11 and 50 people experienced a 42 per cent rise in breaches and a five-fold surge in associated costs during those five years.

So serious is the issue that the UK is set to become the first country in the world where government institutions will be forbidden from paying to have ransomware - the most common form of cybercrime - removed, in the belief that if we don't pay, the criminals will look elsewhere.

The growing sophistication of cybercrime is partly driven by technology, particularly from military conflicts - “extremely scary stuff that wasn't there five years ago,” says Hague - filtering down. In addition, AI is allowing for exponential acceleration of the sophistication of attacks, allowing new coding and malware to be developed in minutes.

The boom is also being driven by what Stephen Mason, managing director of Mason Infotech, calls shadow IT - staff or even entire organisations downloading applications on trust, with no idea who is behind them.

“Shadow IT occurs when someone downloads an application - it may even be a great one for, say, organising annual leave - but has absolutely no idea who created it or where it originated,” he adds. “Most businesses have no idea about what their staff are actually using. There’s also a general lack of awareness of the risk in what you're uploading. If you upload your company accounts to an AI system, you may be sharing them with the entire world, data that may be referenced and accessible to others. It’s a significant security risk that most businesses fail to consider.”

“It’s incredibly easy for someone to purchase a service with a credit card, upload sensitive company data - such as source code - to an AI tool, and use it to analyse, summarise, or even generate content,” adds Guy Bunker, director at Kinnami Software. “The problem is that other people within the organisation often have no idea what data is being shared with AI engines or what is being produced.”

However, the biggest driver is not so much the technology but the evolution of cybercrime as a sophisticated economy, shadowing techniques such as franchising, marketing and payment used by legitimate businesses. It is now the business of organised crime: so lucrative that even states such as North Korea see it as a form of income.

“Ransomware in particular is now fast becoming a professional, franchise model, a pay-to-use service,” says Hague. “It’s awesomely good from a business perspective, so good that I have this begrudging admiration for it. Those at the top earn millions a day; those at the bottom take all the risk. You go onto the dark web and say, ‘I'm interested in targeting these businesses.’ Off the message goes. You get a service level agreement, pricing, and information to maximise the success rate. All that data then feeds back into the system to improve the next attack. It gets better and better.”

The irony is that SMEs are rarely the direct target of cybercrime: usually, they are collateral damage as criminals go after larger institutions, usually in lucrative sectors such as IT, defence, banking, insurance, retail, hospitality and education.

The irony is that a fairly good level of cyber security is not that expensive. The average monthly fee ranges from £40 to £500 per month. With additions, a company of up to 50 employees could expect to pay £2,000-£5,000 a year for basic cover, and £8,000-£12,000 for businesses with 250-499 employees.

However, many businesses are still reluctant to buy good security, seeing it as a grudge purchase.

“From an SME point of view, cyber security is not a priority purchase,” says Mason. “It's not happened to them, so why do it? They don't understand that they're more likely to be collateral damage than a target. If regulations aren't there to control something, people always take the quickest route to the dollar because that's what you do in business.”

“Cyber security's often seen as insurance, and everybody hates paying for insurance,” adds Bunker. “Cyber security companies need to show they provide everyday value for when, not if, something goes wrong. Cyber only hits the news when there’s a problem: like house insurance, they don't ring up saying, ‘You’ve not been burgled again.’”

“I've been in so many meetings in other organisations where they call cyber security ‘insurance’,” adds Ian Vickers, chief executive of Metcloud. “It’s not ‘insurance’, it's ‘assurance’. We're giving you assurance that we're going to protect you. It's a completely different language. We're all about risk reduction.”