Showcasing the Best of Welsh Business

One in Five UK Businesses Hit by Cyber-attack in Last 12 months


Martyn McGrath, Director at CyberLaw, gives his views on the report published recently by the British Chamber of Commerce (BCC) in relation to the likelihood of firm’s systems being compromised.

As explained in previous articles, it is accurate to suggest that it is not a question of if your business is hacked, but more a case of when.   In our last article we covered the need for each organisation to have implemented an effective incident response plan.  We will now look in depth at what the report conducted by the BCC tells us and why it is more important than ever for businesses to act.


What have we learned?

 One in five U.K based firms have been victims of a cyber-attack within the last 12 months.  In addition, it has been reported that larger firms, defined as those with over 100 staff, were more likely to be attacked than smaller firms, according to the British Chambers of Commerce (BCC), which surveyed 1,200 companies.

In terms of statistics, the BCC has found that 42% of larger firms had been the victim of a cyber-attack, compared with 18% of smaller ones.

The advice given by the British Chambers of Commerce (BCC) is very similar to the advice given by the experts at CyberLaw.  We urge companies to do more to protect themselves.  Staggeringly, just a quarter of the firms the BCC surveyed said they had put in place security measures to protect themselves against hackingThis must improve.

What does CyberLaw recommend?

 There is a certain process firms of all sizes should go through in relation to all things cyber.  The following steps must be adhered to:

  1. Firstly, a firm should carry out a cyber audit. New regulations such as EUGDPR will make UK businesses subject to the most stringent data protection laws in the world. It is essential that businesses prepare for the introduction of these regulations.  Reputational damage associated with a cyber-attack can severely compromise customer trust and impact business continuity. A thorough and robust independent audit can avoid the inherent conflict of interest.
  2. Then, a firm should implement a Security Improvement Plan (SIP). A SIP works by identifying a path for the organisation to progressively improve its security resilience over time. A SIP should be bespoke based on a company’s risk profile, its existing cyber resilience and resources. A SIP covers all aspects of cyber resilience including people, process and technology changes required to move it to the appropriate level of identified best practice.
  3. Thirdly, Incident Response.  In the immediate aftermath of an attack, it is essential that the response of security experts is joined up and coordinated with specialist lawyers for the purposes of legal professional privilege. This is key for not only providing a swift, effective response but also for protecting valuable evidence that may be used in defending regulatory proceedings or bringing either a civil or criminal action against relevant parties