Major cybersecurity breaches at UK retailers and carmakers last year have raised boardroom awareness of online threats, but many senior executives warn they may go out of business if hit by similar incidents.
Vodafone Business polled 1000 senior leaders across businesses of all sizes to better understand their attitudes to cyber risk.
Some 89% claimed that big-name breaches at M&S, Jaguar Land Rover (JLR) and other firms last year made them more alert to the potential impact of cyber threats. Yet a worrying 10% admitted their organization would likely not survive a similar incident.
The ransomware attacks on M&S and the Co-op Group are estimated to have cost up to £440m. In fact, M&S alone may be on the hook for over £300m in losses after its online operations were knocked out for several months.
A lengthy outage at JLR cost the UK economy an estimated £1.9bn, making it the most expensive attack of its kind ever recorded.
The Vodafone Business poll chimes with a new Business Resilience Index released on January 22 by MSP Six Degrees.
It categorized over a quarter (28%) of UK organizations as “at risk” – with average uptime across critical business services over the past year just 73%.
Read more on ransomware: Jaguar Cyber Incident “Severely Disrupts” Sales and Operations.
Responses to the Vodafone Business poll revealed that many organizations are still poorly prepared for a serious incident.
It found that, on average, staff use their work passwords for up to 11 other personal accounts, including social media and dating sites. This puts them at risk of credential stuffing, where threat actors use automated tooling to try breached passwords across other accounts that share the same credential.
Less than half (45%) confirmed that staff have undergone basic cyber-awareness training.
AI threats are making the job of corporate cybersecurity teams even harder. Around 70% of business leaders told Vodafone that deepfakes have made them more wary of video involving senior colleagues or their boss.
Policymakers Take Note
Nick Gliddon, business director at VodafoneThree, described the findings of the research as “alarming,” but claimed that many security best practices such as avoiding password reuse and enhancing staff training “are relatively simple to implement.”
The UK government also appears to be getting the message. A second Fraud Sector Charter for telecommunications was signed by the UK’s major telcos in November and will come into force later this year.
Among other things it will force the industry to:
- Upgrade network infrastructure to eliminate number spoofing
- Introduce a “traceback” solution to help track the origin of suspicious calls in real time
- Restore trust in SMS messages by introducing sender ID verification, and stricter vetting of businesses using bulk SMS services
- Improve threat sharing for AI-generated fraud like deepfake voice cloning
- Enhance victim support
“The government’s announcement of its second Fraud Sector Charter for telecommunications, coupled with a new fraud strategy to be launched next year, marks a significant and timely development,” said Gliddon.
“This renewed focus from policymakers underscores the seriousness of the threat and the necessity of a united approach between industry and government to effectively tackle online fraud and cybercrime.”
