More than three-quarters of British businesses are braced for an escalation in cyber attacks this year, with a third predicting the financial impact will be more than £50 million.
A survey of 100 strategic and IT decision makers in UK companies found that 85 per cent expected an escalation in cyber attacks; six per cent believed the number of attacks will remain constant, and four per cent expected it to decrease.
When asked what would make their board take the business risk of cyber attacks more seriously, 61 per cent cited an attack on their company or a competitor; however, 89 per cent said they were “very” or “fairly” confident that they were well-equipped to prevent targeted cyber attacks. Around a quarter said they were “very confident”.
Henry Harrison, technical director at BAE Systems Detica, which conducted the survey, said: “2011 has clearly led businesses to re-evaluate the level of cyber threat and impact, but it seems they are slower to recognise their true level of vulnerability.
“We'd urge businesses to remain cautious and to evaluate their defences, rather than waiting until they are attacked before acting. We've seen a growing number of businesses lock the door after the horse has bolted.
“We want to ensure that 2011 isn't the beginning of a decade of our cyber adversaries staying ahead of us. Let's hope businesses' confidence in their defences is merited.”
David Harley, senior research fellow at ESET, said: “It doesn't take a very large crystal ball to predict that attacks are likely to increase. However, I'd love to know what precautions those respondents are taking that makes them so confident that they can resist targeted attacks.
“I find it hard to imagine that they're all implementing extensive educational programmes so that their staff become more resistant to the social engineering components of targeted attacks. If I'm right, that probably means that they're relying on technical solutions to reduce the impact of the zero-days that tend to carry the technical payloads.
“It's not a matter of which kinds of attack they should be aware of: it's a matter of persuading them that they need to expect the unexpected.”
“It doesn't surprise me, however, that so many think their board won't act until there's an attack close to home. That's been the story of security procurement within the enterprise since the Jurassic. The problem is that there's a perception that targeted attacks are only directed towards big names like RSA and Lockheed, or government departments. That's already significantly less true than it was a year ago."