Between the US elections and the hacking of Ashley Madison, cybercrime can sometimes sound like the plot of a Hollywood movie rather than anything the majority of British businesses should be worried about. After all, what could Vladimir or Kim Jong-un want with an engineering firm just outside of Middlesbrough?
The truth is that the vast majority of cybercrime is not state-sponsored subterfuge. In fact, most of it is simply old-fashioned crimes in new settings. Indeed, the increase has had some unanticipated effects: the number of UK bank robberies has fallen from 847 in 1992 to just 66 by the start of this decade, suggesting that the days of swag bags and getaway cars might be coming to an end. Instead, those who might have been tempted have now simply moved online. For all the jargon, malware to ransomware to scareware, it’s essentially just somebody wanting to take something they don’t have, and potentially selling it back to you for a handy profit.
The number of cyberattacks on British businesses continue to rise and that shows no particular sign of stopping. Yet, though these events are crimes like any other, the reaction of businesses to them is strikingly different. Our research last year suggested that only a quarter of cyberhacks were even reported to the police, the risk of reputational damage deemed too great in some cases but also because business leaders simply have no idea where to turn.
Our new report, published today in collaboration with Barclays, reveals that four in ten directors wouldn’t know which authority to alert if they were hacked or a victim of online fraud. Combine that with revelations in this newspaper in 2015 that police investigate fewer than one in a hundred frauds that are reported and you start to draw a picture in which cybercriminals are operating with something dangerously close to impunity.
Business leaders are not entirely blameless. They would come down like a ton of bricks on a staff member who forgot to lock the door and set the alarm at the office over the weekend, and yet our report demonstrates that too many SME owners continue to access personal information on their smartphones or laptops over public wifi. Let’s be clear: it is not a good idea to use the public wifi on the tube to conduct sensitive financial transactions. Close to one in five IoD members are unaware of what virtual private networks even are, let alone using them. Wising up to the threat is the first step to fighting it. Less than half have a proper cybersecurity strategy in place across their business.
Nonetheless, it is time for government to do more to tackle the scourge of cybercrime, a peril that might be the defining business threat of the 21st century. If we are to ensure that Britain leads the way in the digital economy, we have to trust that the data that underpins it is safe and secure and government and GCHQ has a role to play in promoting far better behaviour amongst the business community and the public at large. Cultural change is required and that is difficult to institute across an entire populace, but if it is achieved it invariably requires leadership from the very top. They’ve made a good start — any firm bidding for a decent-sized public contract now has to have gone through the Cyber Essentials programme which is welcome, if imperfect.
One of the perennial problems we see is the disconnect between well-meaning Whitehall schemes and their impact on the ground. During the last parliament we found that only one in five of our members had had any interaction with the business department at all over a year-long period. Government needs to do a better job of targeting information and advice to businesses, joining up data across different departments to ensure it gets to the right people. One doesn’t have to be too much of a cynic to find it ironic that it’s HMRC that seem to be the most effective at reaching out to our members.
With the internet of things and self-driving cars no longer the stuff of tomorrow’s world but becoming reality, the number of vulnerabilities in our daily lives and infrastructure will only increase. Getting ahead of that threat must be a priority for government, business organisations like the IoD and entrepreneurs and directors themselves.