New research carried out by cyber crime experts, FoxTech, has revealed that the five UK industries with the weakest cyber security – and therefore most at risk of a cyber security breach – are mechanical and industrial engineering (with a CyberRisk score of 59.1), environmental services (57.8), furniture manufacturing and installation (56.8), logistics and supply chain (56.5), and construction (56.2).

The research is based on analysis of 9500 companies in the UK, and used a CyberRisk score, a diagnostic tool which calculates risk using publicly available information and an analysis of a wide range of cyber security indicators. Companies with scores of 25 or less are considered to be at a low risk of attack, while scores of over 50 demonstrate a high risk. FoxTech’s report found that other industries with scores over 50 included higher education (56.0), accounting (55.2) and hospitals and healthcare (53.4). Scores higher than 75 indicate an extreme risk of attack.

Anthony Green, CTO and cyber crime expert at FoxTech, explains more:

We audited thousands of UK companies across a wide range of sectors and found that while industries such as financial services, aviation and government administration had a lower risk of falling victim to a cyber crime, many other industries were not doing enough to protect their systems from attack. It is encouraging that no sector averaged at an extreme risk of attack, with a score more than 75. This is reflective of many businesses’ increased investment in cyber security in the past year. However, a score of over 50 still demonstrates a high vulnerability to cyber crime, so it is concerning that many of the UK’s key industries fell into this bracket.”

What common security issues did FoxTech’s report identify?

Anthony explains:

It’s not that organisations don’t care about having good cyber security, but that they are unaware that their IT infrastructure contains weaknesses that make them a potential easy target for hackers.

Companies often don’t realise that their anti-virus or endpoint protection software is incorrectly configured, or simply not robust enough to stave off an attack. Another common misconception is the belief that you are safe from attack if you use cloud-based services, rather than an internal server. This is not the case – in fact, 46.3% of the companies we surveyed were using a public cloud provider, but many were still at a high risk of attack. Inadvertently leaving assets exposed to the internet is another big issue. Some businesses we surveyed had databases visible to the internet, and over 40 companies had a camera accessible from the internet!

Sometimes, an organisation can be exposed by something as simple as poorly managed user accounts or using out-of-date software and obsolete or end-of-life technology – as was the case with 4.7% of businesses we surveyed. Email filtering is also a vital aspect of any good cyber security strategy. Only 55.4% of companies we surveyed has email filtering in place, and just 13.7% had DMARC correctly configured to prevent email spoofing attacks.”

Anthony highlights that hacking is a gradual process, and not something that happens overnight. On average, hackers will spend 207 days between breaching a company’s IT security and exploiting it.

“The fact that hackers are going undetected for so long shows that businesses usually have plenty of time to detect intruders and prevent a cyber attack from occurring – if they know where to look.”

The answer? Anthony says:

The best thing to do for any company is to arrange a cybersecurity audit of their IT systems, processes and procedures. This won’t necessarily be through their IT provider, but via an independent cyber security company that is set up to focus fully on cyber security and can protect businesses and their customers on a much higher level. A good audit will involve vulnerability scanning – also known as ethical hacking, where a cyber security expert tries to enter your system, just as a malicious hacker would, but with the intention of helping you find and fix your security weaknesses before they are exploited by a cyber criminal.

Companies interested in finding out their own CyberRisk score to get an immediate indicator of how high or low their security risk is can order this for free from FoxTech’s website: CyberRisk | Third Party Risk Management | Foxtech (foxtrot-technologies.com)