UK IT and technology firms are prime targets for cybercrime, according to new research by Keeper Security. The IT and Technology Cybersecurity Census Report reveals that, on average, UK IT and tech firms experienced 67 cyberattacks in the last 12 months, equating to more than one attack per week and, concerningly, almost 1 in 5 (18%) experienced over 500 attacks in the past 12 months. These figures are significantly higher than other industries, with the average UK business experiencing 44 cyberattacks in the last year.
The average IT and tech business will see these attempts translate to around three successful cyberattacks each year, with a huge cost to being compromised. As a result of a successful cyberattack, a third (33%) of IT and tech firms experienced disruption to trading, 30% experienced theft of financial information and almost a quarter (23%) suffered theft of corporate information.
The financial losses are equally impactful. More than a fifth (22%) experienced theft of money as a result of a successful cyberattack and, of those that had money stolen, over a half (51%) lost more than £10,000 and nearly a third (30%) lost between £100,000 and £999,999. These financial losses can easily prove fatal to a business, especially as the global economy navigates a looming recession.
Prevention rather than cure
Just one-quarter (26%) of UK IT and tech organisations say their business is ‘very well prepared’ to defend against cyberattacks and just 14 percent believe that businesses in general are very well prepared.
With threats becoming increasingly difficult to manage, over two-thirds (67%) of UK IT and tech firms report the time taken to identify and respond to a cyberattack has increased in the past 12 months. These findings indicate the increasing sophistication of attacks by cybercriminals, something which is compounded by a skills and solutions gap.
Positively, 91% of IT and tech firms conduct threat assessments within their organisations on at least a monthly basis, with 37% conducting them weekly. Although some level of regular threat evaluation is part of most firms’ security infrastructure, only a sliver are protecting themselves with a framework to manage identity security. Just 16% say they offer a highly sophisticated framework to govern access to their systems, which gives them high visibility into usage and a clear framework to make changes as needed.
Concerningly, almost a quarter (23%) of organisations say they leave it to employees to set their own passwords and access is often shared among employees as needed. At present, one-third (33%) don’t have a secrets manager to help manage IT secrets such as API keys, database passwords and credentials, although 27% say they lack one but are planning to invest.
Investing in the future
The study’s findings suggest that organisations are taking steps to secure their future in the face of increasing threats. Over three-quarters (76%) of respondents say they have made investment in cybersecurity personnel within their organisation over the past 12 months, with a further one in five (20%) reporting they have plans to hire a cybersecurity specialist. It seems firms are acknowledging their skills gap and taking steps to close it.
When it comes to changes to cybersecurity tools, the top changes implemented by UK IT and tech firms have been in training and increased spending. More than half (54%) say they have increased cybersecurity training within the organisation over the past 12 months and 46% say they have increased their spend on cybersecurity software.
Increased investment is crucial, but its effect will be limited if firms don’t also cultivate an environment of transparency and accountability divorced from fear. Worryingly, 61% of IT decision makers in IT and tech organisations have been aware of a cyberattack and not reported it. This percentage is higher than the average across all industries, with 55% of total respondents keeping a cyberattack to themselves.
IT and tech organisations are committed to a level of regular security training, with 70% training their employees on cybersecurity threats on at least a monthly basis, and a fifth (20%) training them weekly.
Darren Guccione, Keeper Co-founder and CEO commented: “Although UK IT and tech firms recognise the level of threat they’re under, our research shows there’s a disconnect between concern and effective action. As IT and technology businesses develop their plans for 2023, addressing these discrepancies should take top priority. IT leaders’ instincts are good and organisations should work collaboratively to address their concerns and be proactive about finding solutions to create stronger, more resilient and more secure organisations in the coming year.”