Digital Security

Risk Awareness

UK business leaders are overly optimistic and less aware of digital risks than their European counterparts

UK respondents to a survey of nearly 1,000 small to medium-sized enterprises (SMEs) consistently identified 2% to 25% fewer risks for each risk area analysed than their counterparts in France and Germany. External cyber risks were thought to be the most concerning category of digital threat for businesses by 68% of respondents, according to the survey by international law firm Gowling WLG. This risk is expected to grow even further, with 51% of respondents believing it will increase within the next three years.

External cyber risk was followed by customer security (57%), identity theft or cloning (47%) and rogue employees (42%) in the respondents’ assessments. More than one-third of them (40%) also thought that insufficient technical and business knowledge among employees was a risk to their business.

Helen Davenport, director at Gowling WLG, said recent wide-ranging external cyber attacks such as WannaCry and Petya had reinforced the real and immediate threat of cyber crime to all organisations and businesses.

“However, there tends to be an ‘it won’t happen to me’ attitude among business leaders, who on the one hand anticipate that external cyber attacks will increase over the next three years, but on the other hand fail to identify such areas of risk as a concern for them,” she said. “This is likely to prevent them from preparing suitably for digital threats that they may face.”

The research revealed that while nearly one-third of UK businesses feel digital risks related to regulatory issues have increased in the past three years, only 29% believe regulatory issues are a risk to their business. Risks related to highly sensitive or valuable data are the second most prominent set of risks to businesses, according to 55% of respondents. However, when asked about the EU’s General Data Protection Regulation (GDPR), which represents the most significant change to data protection legislation in 20 years, only 14% of UK businesses were aware of the fines they may face for failing to protect their data.
By comparison, 26% of respondents from Germany and 45% from France were aware of the maximum fines under the GDPR, putting UK business leaders at the back of the pack when it comes to understanding the risks posed by failure to comply with the regulation. The GDPR includes fines of up to €20m or 4% of global turnover, whichever is greater.
Despite the identification of data risks, only 52% of UK businesses perform regular data backups, compared with 66% in Germany and 67% in France. Also, only 32% of UK businesses and 39% of German businesses are open to using off-site storage for sensitive data, compared with 50% of French businesses.
The survey revealed that although most business leaders (70%) involved IT support in their digital risk management, an average of only 31% across all three countries polled said they involved legal support.
When it comes to involving legal support in digital risk management, the UK was the best at 46%, compared with 23% in Germany and 23% in France. When asked how prepared they felt for their digital risks, only 16% of all respondents said they were fully prepared.

Patrick Arben, partner at Gowling WLG, said that when affected by a cyber attack or any other digital threat, the immediate focus is to work with IT professionals to understand what has happened. “However, it is always worth taking internal or external legal advice before commencing an investigation and as circumstances change,” he said.

“The essence for all business leaders is to stop ignoring the digital risks their companies face. By doing this, they can easily and proactively work to prevent future attacks from happening.”

Read more about cyber risk

The research is being used to inform the Gowling WLG Digital Risk Calculator, an online tool designed for SMEs to highlight perceived digital risks. The law firm said the Digital Risk Calculator was created to help business owners and executives stay ahead of the most important digital risks that may affect their businesses. Whether the issues relate to cyber security, infrastructure risks or regulatory issues, Gowling WLG said its goal was to guide them through the risks so they can focus on growing their businesses.

External Cyber Attacks

  • Malware – ransomware / rogue software / malvertising / drive-by-downloads
  • The Internet of Things hacking – hacking of connected / smart devices
  • Cyber espionage – cyber theft / direct hacking / eavesdropping
  • Phishing scams – phishing / social engineering
  • Active network attacks – data modification / Denial of Service (DoS) / Distributed Denial of Service (DDoS) / password-based attacks (dictionary attack) / compromised-key attack / application-layer attack / DNS spoofing / port scanning / backdoors / bots / buffer overflow
  • Injection attacks – cross-site scripting (XSS) / injection attack / file inclusion attack
  • Session hijacking attacks – predictable session token / session sniffing / client-side attacks / man-in-the-middle attack / man-in-the-browser attack
  • Redirection attacks – URL interpretation / cookie poisoning / invalidated redirect / forward attacks
  • Mandate fraud
  • Hacktervists – ethical hackers / campaigners / cyber security businesses exposing security weaknesses in security systems

Highly Sensitive Data

  • Data theft
  • Data loss
  • Data neglect
  • Non personal customer data risks
  • Personal customer data risks
  • HR personal data risks
  • Intellectual property risks
  • Insecure practices

Identity Theft and Cloning

  • Corporate identity theft
  • Personal identity theft (C-suite)
  • Mirroring of websites to capture clients or personal information
  • Identity spoofing / IP address spoofing

Lack of Technical and Business Knowledge

  • Data mishandling – misdelivery of sensitive information / mistakenly making information publicly available on a web server or website / losing or inadequately disposing of data / losing an unencrypted laptop, cell phone or storage device such as a USB key
  • Outdated software or hardware – outdated physical device/devices used in or with your machine / outdated collection of code installed onto your computer’s hard drive
  • Outdated business processes – lack of risk monitoring infrastructure and architecture / outdated risk monitoring / lack of cyber threat intelligence (CTI) tools
  • Not following process in response to an attack
  • Lack of training

Regulatory Issues

  • Failure to understand regulations
  • Failure to comply with regulations
  • Not keeping abreast of regulatory environment
  • Rapidly evolving extensive regulatory environment (linked to the above)
  • Lack of guidance from regulators
  • Ever increasing costs of regulatory compliance