back to article 8 in 10 small UK firms hacked last year - at £65k a pop: Report

Over 80 per cent of small businesses in the UK suffered a computer security breach last year, according to new government research. And the proportion of large firms that reported attacks has reached a whopping 93 per cent. The Department for Business, Innovation and Skills' 2013 hacking survey found that 87 per cent of small …

COMMENTS

This topic is closed for new posts.
  1. Pete 2 Silver badge

    Come clean on funny money

    > The average attack caused a Blighty SMB between £35,000 and £65,000 worth of damage

    Now, we all know that doesn't mean that the SMBs in question had to get thirty five grand of cash out of their respective wads and spend that money on goods or services outside the company.

    No. All it means is they got some of their staff to do a few hours of work at some notional internal cross-charge hourly rate and a whole lot more managers to spend time in meetings, each at a vastly higher notional hourly rate. Now some of those people might, just, have got a bit of overtime or a meal allowance - but in most cases (of personal experience) they were just told to stop what they were working on: projects, facebook updates, chatting to colleagues, long lunches, going home on time - and to sort out whatever breach had been detected.

    The reason that large company's breaches cost more was in large part because they had more staff that they could apply to the problem. Work expands to fill the number of departments that can charge for their time.

    What would be interesting to know, but will never ever be revealed, is how much actual cash flowed out of a company for each problem that they had to fix. I would suspect that in most cases the real monetary cost was very small indeed.

    1. Brewster's Angle Grinder Silver badge

      Re: Come clean on funny money

      An economist might talk about the "lost output" as a result the breach - all the things you could have produced if you hadn't been cleaning up.

      But you seem to be saying it was funded through unpaid overtime and productivity gains (less facebooking and shorter lunches).

      1. Justicesays
        Trollface

        Re: Come clean on funny money

        In many cases the "clean up" cost probably includes doing all that security work you should have been doing all along.

        Checking active accounts against your employee database, patching those pesky web servers etc.

        And also creating (or acquiring) some security processes that are to be followed from then on.

        Nothing like closing the stable door and then saying it cost £65,000 to do it.

  2. JimC

    > Now, we all know that doesn't mean

    A point of view that's only useful if you make the assumption that the work the staff were diverted from was not revenue earning for the company.

  3. Brewster's Angle Grinder Silver badge
    Joke

    "...successful attacks can be prevented by simple best practice, such as ensuring staff do not open suspicious-looking emails..."

    Well no company ever answers my emails so I think the policy is already in place. Or do I just need to mention "free money" or "cat pictures" in the subject line?

    1. NomNomNom

      You need to attach FUNNY_CAT_PICTURES.EXE

      I can send it to you if you want

  4. mark 63 Silver badge
    Facepalm

    rely on users?

    "...successful attacks can be prevented by simple best practice, such as ensuring staff do not open suspicious-looking emails..."

    So basicly put the security of the company in the hands of the users?????

    If the threat has got to the users desktop and is relying ion their common sense - you're screwed.

    Your only (slim) chance in that system would be make sure every user knows that if they trigger a breach, it would be instant no questions asked dismissal.

  5. David Ireland
    WTF?

    'According to Government Communications Headquarters, four in five (80 per cent or more) of currently successful attacks can be prevented by simple best practice, such as ensuring staff do not open suspicious-looking emails or ensuring sensitive data is encrypted.'

    I assume this link will tell me how:

    http://www.bis.gov.uk/assets/biscore/business-sectors/docs/0-9/12-1121-10-steps-to-cyber-security-advice-sheets

    Contains the instructions. When I click it, Chrome says 'This download could harm your computer'. Oh well, that's not suspicious, I'll just agree.

    This document actually isn't bad, but it doesn't say how to identify an email as suspicious. Perhaps the spokesperson should read it.

  6. GettinSadda
    Boffin

    It depends what you count as security breaches...

    Having read through a good deal of the report it seems that the main reason that the figures are so high is what is categorised as a "security breach". As well as the sort of stuff you would expect (websites attacked by SQL injection, competitors getting private data by some means) you find that "confidential data e-mailed to a personal account" counts too... ok, perhaps. Then computers inside the organisation encountering a virus, even if immediately dealt with by anti-virus software (um, perhaps... but is this really a breach?), laptops being stolen (ok - um, but a security breach?), disc drive failures (er, hang on here - drive failures are now a security breach?) and the icing on the cake - data corruption caused by software bugs (WT-actual-F?)

  7. TrevorH
    FAIL

    I expect more from the Register than this

    Please, I expect the Register to at least take this sort of rubbish with a large pinch of salt. One of your commenters digs deeper into the reasons for these ridiculous numbers yet your writer seems to have just taken them at face value. Classic case of "Lies, damned lies, and statistics"

    1. Alan Bourke
      FAIL

      Re: I expect more from the Register than this

      Exactly. Vested interests in bullshit report shocker. See also most reports about the cloud.

    2. Tapeador

      Re: I expect more from the Register than this

      Quite so. 80% of SMEs paying £35-65k - nonsense.

      Probably 50% of SMEs don't even have that as TURNOVER.

    3. Anonymous Coward
      Anonymous Coward

      Re: I expect more from the Register than this

      Sounds ridiculously high and no details about the "hacks".

      If it's malware infections via driveby or email then I would suspect 8 out of 10 is about right for small businesses.

  8. Lewis

    "The 2013 Information Security Breaches Survey (ISBS) was funded by BIS and carried out by PwC in conjunction with the Infosecurity Europe trade show"

    John, kindly place such information at the beginning of the article...

  9. The Jase

    80%

    80% smells of bullshit to me.

    1. Will Godfrey Silver badge

      Re: 80%

      But... but...

      It's such a luverly round number. It must be true!

  10. The Godfather
    Angel

    Wise up..

    When monetary loss values are 'touted', it's all about selling the stuff designed to prevent it...

  11. Anonymous Coward
    Anonymous Coward

    So you take a poll of 10 gas stations an chip joints in East Wesshfleifled UK and you'll find that in the last year they've lost a combined half a million pounds between them because people opened strange emails?

    Please. How many business *are* there in the UK? What are their average net profits?

    A small business is probably fairly lucky to be pulling down more than a couple hundred thousand in net profit per year. Are you really telling me that 'cyber criminals' are sucking down 10+% of the UK's *entire fucking business operating profit*?

    Really?

    I expect better from El Reg. This accounting makes as much sense as do the BSA's calculations showing that a broke 14-year-old who snags Photoshop off Usenet has directly cost Adobe $2600.

  12. M7S
    Unhappy

    Unhelpful overlords

    "According to Government Communications Headquarters, four in five (80 per cent or more) of currently successful attacks can be prevented by simple best practice, such as ensuring staff do not open suspicious-looking emails or ensuring sensitive data is encrypted"

    At Infosec yesterday, an enquiry was made at the CESG stand "what can you do for me, as a private business" and the reply, confirmed by a manager called over, was "nothing, we're (currently) prevented by law from disclosing our guidance and policies to anyone not working for HMG"

    Perhaps if, like the police, the offered foc the equivalent of crime prevention advice and listed some approved hardware/softwared/configurations there might be a little bit less of these apparent losses taking place, all to the public good. They did say they were trying to change the law but someone somewhere imposed these daft regulations and now we're collectively paying the price.

This topic is closed for new posts.

Other stories you might like