According to the survey of more than 1,200 businesses, one in five British businesses were hacked last year and only a quarter of businesses said they had security in place to guard against hacking.
The findings from the survey have also discovered that it is larger companies, with at least 100 staff, that are more susceptible to cyber attacks. Around 42% of large businesses reported cyber attacks, compared with 18% of small companies.
High-profile attacks on company databases, have hit companies, including Yahoo and telecoms firm TalkTalk.
Hackers into Yahoo’s database had accessed a wealth of personal data, including email addresses, dates of birth and passwords and even encrypted or unencrypted security questions and answers from more than a billion user accounts in August 2013.
In a Guardian article, Adam Marshall, BCC director-general, said: “Cyber-attacks risk companies’ finances, confidence and reputation, with victims reporting not only monetary losses, but costs from disruption to their business and productivity. While firms of all sizes, from major corporations to one-man operations, fall prey to attacks, our evidence shows that large companies are more likely to experience them.”
Most businesses surveyed are reliant on IT providers to resolve issues after an attack, while banks and financial institutions as well as police and law enforcement agencies tend to have in-house expertise.
The extension to data protection regulation coming into force in 2017 means firms will need to increase their responsibilities and requirements to protect personal data, or prepare to face penalties for not complying.
TalkTalk had to pay a £400,000 fine in 2016 for security failings that led to it being hacked in 2015. The Information Commissioner’s Office, which levied the fine, said the attack “could have been prevented if TalkTalk had taken basic steps to protect customers’ information”.
Marshall added: “More guidance from government and police about where and how to report attacks would provide businesses with a clear path to follow in the event of a cybersecurity breach and increase clarity around the response options available to victims, which would help minimise the occurrence of cybercrime.”
