Finance and insurance firms lead way in fighting cybercrime – but boards need to do more

Finance and insurance firms are leading the way in the fight against cybercrime but still require more board engagement, according to government figures released this week.

The Cyber Security Breaches Survey 2019 also reveals that while finance and insurance firms are more aware of the risks than other sectors, almost half still do not have a board member responsible for cybersecurity.

The figures from the Department for Digital, Culture, Media and Sport show that amongst businesses overall, fewer are suffering cyberattacks or breaches but those that do experience more. One in three businesses (32%) was a victim of an attack or breach in the past 12 months – down from 43% in 2018 and 46% in 2017 – but victims typically reported facing six attacks, compared to two in 2017.

The figures also suggest that attacks are becoming more targeted. Phishing attacks (identified by 80% of victims) and others impersonating an organisation (identified by 28%) – both of which rely on human error – are now more common that viruses, spyware or malware attacks (28%).

Jon Abbott, CEO of IT services provider Priority One and founder of cybersecurity platform ThreatAware, says the figures reflect the trends the industry is seeing.

“Attacks are becoming more targeted and costly and cybercriminals are becoming more sophisticated. As IT teams shore up their defences, attackers are choosing softer targets and preying on people instead. They recognise that humans are now the weakest link and increasingly the targets are directors and senior decision makers.

“It demonstrates that cybersecurity is no longer just an IT issue but a company-wide challenge, one which involves people throughout the organisation and needs to be overseen at board level.”

The report shows that 30% of firms attacked suffered a negative outcome such as loss of data or assets with the average (mean) cost being £4,180, higher than in 2018 (£3,160) and 2017 (£2,450).

It found that almost all finance and insurance firms (97%) consider cybersecurity a high priority for management, compared to 78% of businesses overall, and they also spend far more on cybersecurity, with an average (mean) investment of £22,050 in the past 12 months.

Finance and insurance are more likely than others ectors to have taken steps to identify risks (82%), to have cybersecurity policies in place (66%) and set minimum standards for suppliers (47%). However only 56% have board members with a cybersecurity brief.

Jon Abbott adds: “Finance and insurance firms are a particular target for cybercriminals, not only because they have access to funds but also because they are far more likely to hold personal information.

“While they are ahead of other firms in terms of awareness of and investment in cybersecurity, there is room for improvement through greater board engagement and by taking a more integrated approach to cybersecurity.

“As cybercrime becomes more complex, boards need to lead the fightback and work closely with IT teams and managers throughout the organisation to ensure they are in the best possible position to defend themselves against the threats.”