Why no business or sector is immune from cyber threats

Posted: 24 November 2020

It’s no longer just large corporate organisations which face the threat of cyber attacks. 

Increasingly, evidence shows that businesses of all shapes, sizes and sectors can experience a cyber attack as companies become progressively digitalised and deal with sensitive data which acts as a lure for cyber criminals. A 2020 report revealed that almost half (46%) of businesses had experienced a cyber attack or breach over a 12 month period, up from 32% the previous year.1


Cyber attacks can be expensive. According to research from the Ponemon Institute, the average total cost of a data breach for a UK company is £3.1 million.2  Whilst this can be hard enough for large organisations to swallow, it could mean ‘game over’ for smaller enterprises. 

Not only are SMEs unlikely to have the same financial resources available as their larger counterparts for equipping themselves with cyber security software or sophisticated IT systems, but they’re also less likely to have IT teams, human resources or legal departments to assist where a breach occurs. Costs in the form of financial penalties, legal costs or those associated with reputation management can also add to the financial burden.


Regardless, a 2020 report revealed that 81% of UK SMEs had suffered a data breach or cyber attack, with 37% confirming multiple breaches.3  There’s a suggestion that some hackers use smaller businesses as a ‘gateway’ to larger organisations. This works by penetrating a smaller company’s network and gaining access to a larger, partner company’s data and information through shared connections and platforms.

Raising awareness of cyber security is essential, as it’s often an innocent employee who inadvertently lets the criminals in; as many as 90% of cyber data breaches were found to be caused by human error in the UK in 2019.4

Whilst no business is immune, certain industries appear to be more targeted than others. Recent data5 showed that the industries which had experienced the highest number of breaches included the healthcare, IT & telecommunications and legal sectors. There are a number of factors which increase the vulnerability of a business to cyber threats.
Any business which stores sensitive and/ or personal data is of interest to cyber criminals since they can seek to sell this information for profit.; this covers a wide range of sectors from healthcare to financial institutions and educational establishments. The NHS is one such example since it keeps highly sensitive information including medical insurance details, National Insurance numbers and medicine records. In May 2017, the WannaCry ransomware attack prompted NHS England to declare a major cyber security incident which resulted in an approximate overall direct cost to the NHS of £92m with over 19,000 appointments cancelled.

As globalisation results in more interconnected supply chains, the risk of an attack originating through a supplier or third party increases. Many suppliers or parties can contribute to a single product or service and essentially, the more touchpoints, the greater the risk.

Organisations may struggle to gain a clear idea of security vulnerabilities in their wider supplier eco-system due to proprietary data privacy regulations or where upstream or downstream suppliers are distant in the supply chain and based abroad. The automotive industry is one such example.

Increasingly, many legal firms are choosing to partially or totally outsource services to external suppliers. The sensitive information and large amounts of money held by law firms makes them attractive targets for cyber attacks. Further, the increasing use of robotics and automation introduces new attack surfaces which can be exploited by cyber criminals. In 2018. the National Cyber Security Centre6 reported the most significant types of attacks on law firms as phishing (where an entity posing as a legitimate institution seeks to obtain sensitive information), data breaches and ransomware attacks.

In today’s world, most businesses rely on some sort of IT system or etrade platform, but where these are old or unsupported, they can provide an easy access point for cyber criminals. Conversely, overly complex IT systems can also pose issues due to poor patching or where they ‘talk’ to third party networks. Ransomware, DDoS (distributed denial of service) and SQL Injection are some common types of attack on IT systems. The latter, SQL Injection, is an extremely well known and easily avoidable attack that involves cyber criminals exploiting system vulnerabilities, for example by inserting code into the website search bar which enables them to amend, interact and extract from databases.

 In October 2015, telecommunications company TalkTalk reported it had been subject to a SQL Injection attack, which enabled thieves  access customers’ personal data including names, addresses, dates of birth and financial information. In total 156,959 customers’ personal details were accessed, including the bank details for 15,656 customers. A problem was first identified when internal reports showed its network was operating more slowly than normal. Further investigation found there had been an attack and TalkTalk replaced its websites with a holding page, reported the data breach to the Information Commissioner’s Office (ICO) and started telling its customers. The ICO’s investigation found that TalkTalk had failed to take appropriate measures to keep its customers’ personal data secure and issued its largest ever fine at the time - £400,000.

security on computer

Whilst certain cyber trends can be observed with relation to type and size of organisation, it’s evident that cyber poses a threat to all businesses which deal in data. Sadly, even charities are not immune, with over a quarter (26%) having reported a breach7.

Robust risk management measures and education on the right cyber-security behaviours are key to helping to prevent an attack or breach from occurring in the first place – and this is what our third and final article in this series will focus on.

Christian Simpson
Senior Cyber Underwriter

1 Department for Digital, Culture, Media & Sport. Cyber Security Breaches Survey 2019.

2 Ponemon. Cost of a Data Breach Report

3 OGL Computer  State of Technology at UK SMEs: 2020 Research Report. p11

4 CybSafe analysis of data from the UK Information Commissioner’s Office

5 OGL Computer  State of Technology at UK SMEs: 2020 Research Report. p11

6 National Cyber Security Centre. The cyber threat to UK legal sector. 2018 p.5

7 Department for Digital, Culture, Media & Sport. Cyber Security Breaches Survey 2020. p3