Thank you for contacting us
Your message is important to us, we will be in touch shortly.
The global annual cost of cybercrime is set to skyrocket to a staggering $10.5 trillion1. Nearly three times more than just a decade earlier, the figure is larger than the global drugs trade. Any individual organisation has perhaps a 40% chance of an attempted cyber-attack in any given year, a number which seems certain to rise.
Robust cyber security is essential to business survival. And in our view, outsourcing specific responsibilities to a trusted partner is the only sensible strategy.
The value of strong cyber security measures
At ITPS, we see many small and medium-sized businesses performing most IT tasks internally, with external partners only called upon for ad hoc support. This is a risky strategy and one that could cause great disruption and damage to an organisation.
Take the recent example of a legal services customer, managing its own infrastructure in-house, that suffered a ransomware attack in November 2023. It was targeted by the Akira Ransomware Group, which bypassed an out-of-date and unpatched firewall to extract files and encrypt the remaining copies.
The damage has been substantial. Though the firm hasn’t paid the ransom demand, it has nevertheless been hit with remediation costs – covering consultancy fees, overtime payments and IT system outlays – costing five times more than if correct preventative measures had been in place.
Its very old back-up tapes were in a poor state, introducing more challenges, but eventually the business managed to recover a two-month-old data set, with staff working non-stop alongside clients and partners to reconstruct transactions to the present day.
The firm was fortunate the demand came just after the payroll had been run, meaning sufficient working capital was available to support its recovery. In other circumstances, however, bankruptcy could have been unavoidable. And while the Information Commissioner’s Office appears satisfied with the company’s response to the attack so far, the compromise threatens to leave a lasting legacy.
And then there’s the element of trust.
Client data isn’t just names and bank accounts. It is wills, divorce settlements, trust arrangements – the things people value as their most confidential information. To know that data has been accessed for potential publication on the dark web means a significant amount of relationship rebuilding between client and company.
Two partners were vital in the recovery effort: ITPS, as the cyber security specialist, and a barrister well-versed in ICO, regulatory and PR matters. Between them and the customer’s management team, working non-stop over several weeks, a semblance of order was restored and a plan developed and implemented.
But the customer team still talks about the emotional, rather than the financial, impact of the attack: the shock, fear, anger and grief. Anyone who has been burgled knows the feeling; it isn’t about the broken window or missing television, it is the sense of violation.
For this customer, the journey from being a victim of a cyberattack to becoming a more secure and vigilant organisation has started.
Fully managed and monitored systems, better access control, lots of training and secure, off-site back-up are part of changes to decrease the likelihood of an attack being successful, and to reduce the consequences if another hacker does break into its systems. And the strategy will be tested regularly. After all, it’s what we do with fire alarms.
So, what is the right strategy?
We think that there are two main components of the right strategy.
The first is to outsource support, with well-defined responsibilities.
Managed service providers (MSPs) are equipped to offer a more effective defence against cyber threats at a fraction of the cost of building the same capabilities internally. They protect systems, reducing the likelihood of a successful attack, and can design-in and practise effective recovery mechanisms too.
Additionally, MSPs simplify the process of complying with various regulatory frameworks. This ease of compliance is invaluable, considering the complexity and diversity of regulations across industries.
Given the increasing sophistication and potential impact of cyber threats, establishing a partnership with a competent MSP, such as ITPS, is not just a tactical choice but a strategic necessity.
Our second recommendation is to turn a necessity into a virtue.
This isn't just about mitigating risks; it is also an opportunity to transform a necessity into a competitive advantage.
If they don’t already, insurers, regulators and, increasingly, customers will demand you have adequate cyber security provisions in place. In an era where digital threats are becoming more sophisticated, showing your business is well protected can be a significant market differentiator.
We all live in a high-crime neighbourhood now, and collectively we’re not spending enough on prevention. But there’s more to it than that: cyber security is an investment in your company’s future, reputation, trustworthiness and, quite possibly, its very existence.
So, instead of doing the bare minimum, why not fully embrace robust cyber security measures and use them to propel your business ahead of the competition?
The economic case
The first consideration is whether your organisation is spending enough on security.
A recent Hiscox report showed the average proportion of IT budget on cyber security rose in 2022 to 22 per cent2, which, for the average UK business, means cyber security spend should be circa £1,200 per year per employee.
There is very little data in the public domain about the costs of cybercrime for individual organisations. Not surprisingly, most victims don’t publicise the scale of their losses.
Our own customers, when unprotected, have found that remediation costs are typically five times the amount they could have spent to protect themselves. But everyone’s vulnerability profile is clearly different.
If your turnover is £118,000 per employee, the UK average3, then the IT budget should be circa £5,664 per head, based on an average budget of 4.8 per cent4. Spending 22% of this on cyber-security would make the average cyber security spend £1,246 per head.
Then you should consider the question of in-sourcing or out-sourcing. In our view outsourcing presents a two-fold economic advantage:
Firstly, it allows businesses to access specialised expertise and state-of-the-art technology without incurring substantial costs. This is crucial, especially for small and medium-sized enterprises that might find the cost of building an in-house team prohibitive - security specialists are expensive people and difficult to retain.
Secondly, outsourcing shifts the financial model from capital expenditure to operational expense. When technology is changing fast, flexibility and scalability are important.
There are four areas where MSPs are able to take meaningful responsibility, offering more value than a hard-pressed, internal IT team could reasonably deliver:
• Proactive threat intelligence: MSPs use sophisticated tools and global threat intelligence to give businesses insights into potential vulnerabilities and emerging threats
• Customised security solutions: Understanding the unique nature of each business, MSPs offer tailored solutions that align with specific business objectives and risk profiles
• Continuous monitoring and management: MSPs provide round-the-clock monitoring and real-time response capabilities, ensuring threats are identified and addressed promptly
• Incident response and recovery: In the event of a breach, MSPs offer swift and effective incident response services to minimise damage and assist in the recovery process
Unless your organisation is large enough to support an IT team of several tens of people or more, it is the economies of scale, and the expertise and the experience of the MSP in all of the above, that are the reason to outsource.
Emerging trends
2024 and beyond will be characterised by the rapid advancement of AI in threat detection, the growing complexity of regulatory compliance and the critical importance of cloud security.
These trends underscore the need for organisations to adapt and strengthen their cyber security strategies with a focus on innovation, compliance and proactive risk management.
• AI and machine learning:
According to IDC, AI-driven breach detection systems are poised to detect 75 per cent of cyberattacks before they inflict major damage by 2024, a notable increase from 15 per cent in 2022. This advancement underscores the integral role of AI in enhancing the capabilities of security operations centres. The deployment of these technologies represents a strategic shift in how cyber threats are identified and mitigated, necessitating a higher calibre of expertise in the field.
• The increasing complexity of regulatory compliance:
The landscape of data protection is becoming increasingly intricate. The Data Protection World Forum reports that there were more than 160 data protection regulations worldwide by 2023. This presents a significant challenge for organisations, requiring a strategic approach to ensure compliance. It’s essential for business to stay abreast of these changes and integrate them into their cyber security strategies.
• The critical importance of cloud security:
With the continued migration of business operations to cloud-based solutions, the emphasis on robust cloud security measures intensifies. Gartner’s analysis suggests that through 2025, 99 per cent of cloud security failures will be due to customer oversight5. This statistic highlights the necessity for expert management and practising of security measures in cloud environments. Organisations must prioritise cloud security as a fundamental aspect of their overall cyber security posture.
Where should I start?
Begin by running an assessment of your current cyber security posture: engage with an MSP to perform security posture analysis, penetration testing or a similar assessment.
Such comprehensive appraisals will provide a detailed analysis of your organisation’s overall security health and readiness to respond to cyber incidents.
If you haven’t done so already, implement the Cyber Essentials' framework, a Government-backed, industry-supported programme that helps organisations protect themselves against common online threats. It is essential for ensuring basic cyber hygiene and meeting certain regulatory requirements.
All of the security measures are for nothing, though, if your employees do the wrong thing, so training and awareness, and educating employees about cyber security best practice is crucial for mitigating risks posed by human error or insider threats.
Regularly review your cyber security measures for compliance with industry standards and regulatory requirements. You might also consider adopting the ISO27001 standard.
Much of cyber security lies in performing some of the more mundane elements of IT management thoroughly, particularly keeping software and systems up to date: maintenance and patching failures are at the root of many cyberattacks and, for over-stretched IT staff, are often the first thing to go.
Implement a security operations centre, a 24/7 service that will monitor the millions of events in your systems and networks, and spot the anomalies and the unusual patterns that might be the first hint of an attempted attack.
Back-up is useless without the ability to recover. There is little point taking regular back-ups if you don’t have the ability to restore the data to a clean and secure infrastructure. When your systems suffer a malware attack, you probably won’t be able to back-up to the same hardware, for instance.
Testing the recovery process is key and should form part of a wider exercise in which all elements of a cyberattack response are tested. Outside the scope of just the technology, your recovery plan needs to include communication with employees, suppliers and clients. You will want to set some parameters for involving your insurers, lenders and regulators, including the Information Commissioner’s Office. The key financial processes will also need contingency plans, including billing, accounts receivable, accounts payable and payroll.
The more these matters are dealt with and war-gamed in advance, the less stressful and expensive recovery will be.
In all of the above, partners that you trust will be crucial.
ITPS is one of those partners for many of our customers. Perhaps, we could do the same for you?
References
(1) https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
(2) https://www.hiscox.com/documents/Hiscox-Cyber-Readiness-Report-2022.pdf
(3) https://accountsandlegal.co.uk/small-business-advice/average-uk-employee-generates-118-000-of-revenue-per-year
(4) https://www.metrics.biz/en/blog-post/it-budgets-2023-growth-at-a-slower-pace.html
(5) https://www.gartner.com/smarterwithgartner/is-the-cloud-secure
- Articles