The 2017 Cyber Security Breaches Survey, recently published by the UK Department for Culture, Media and Sport (DCMS), has highlighted significant concerns about the growing threat of cybercrime to businesses and the difficulty organisations are experiencing in trying to defend themselves.
The extensive study surveyed over 1,500 UK businesses and involved a combination of telephone surveys and follow-up interviews. The results of the study indicate that almost all businesses are exposed to cyber security risks and most view cyber security as a major priority. Despite this, a worryingly large portion lack the technology, processes and expertise to effectively manage threats and mitigate breaches. The survey echoes many of the sentiments raised in a recent British Chamber of Commerce report which suggests that businesses should seek to address their cyber security failings as a matter of urgency.
Growing awareness of cyber security risks
Beginning on a positive note, it appears that businesses of all sizes are starting to appreciate that action is needed to tackle cybercrime. 74% of surveyed businesses indicated that cyber security was a high priority for senior management, with 31% listing it as a ‘very high’ priority. Furthermore, the proportion noting it as a ‘very low’ priority has halved since 2016 to as little as 7%, with even the smallest businesses recognising that no-one is immune from attack.
Evidence that all businesses are taking cyber security more seriously could be explained by the fact that the risk of suffering an attack is growing. The proportion of businesses with websites (85%) and social media pages (59%), has increased since 2016, as has the use of cloud services (59%). Perhaps more pertinent given the fast approaching GDPR implementation deadline is the statistic that 61% of businesses hold personal data on their customers electronically.
The need for businesses to do more
A less promising finding of the survey however is the extent to which businesses are actively investing in tackling cyber security issues. While 91% of large firms and 87% of medium sized firms have spent money on cyber security in the past year, the overall number is 67%, indicating the reluctance of many organisations, particularly smaller companies, to commit budget to mitigating cyber risk.
Of businesses investing in cyber security, a breakdown of spending statistics highlights a widespread failing to address fundamental cyber security controls, which with the right skills and knowledge can otherwise be addressed without incurring significant expense. These include:
- Only 37% have segregated wireless networks or any form of data encryption
- Only 33% have a formal cyber security policy in place
- Only 29% have made a specific board member responsible for cyber security
- Only 20% have conducted cyber security training in the past year
- Only 13% require suppliers to adhere to any specific security standards
- Only 11% have an incident management plan to respond to cyber breaches
Data breaches on the rise
Perhaps somewhat inevitably given the data security shortcomings outlined above, cyber-attacks against businesses of all sizes are on the increase. 46% of businesses surveyed identified at least one cyber-attack in the last year, with the figures highest for medium (66%) and large size firms (68%). Breaches are also more frequent among organisations that hold personal data than those that don’t, indicating that cybercriminals are continuing to prioritise organisations that hold valuable employee and customer data.
It’s also important to note that the number of breaches detected varies significantly among surveyed businesses. Of those that detected attacks in the past year, 37% detected only a single breach, the same number were breached at least once a month and 13% were breached at least once a day.
The largest businesses surveyed were breached so many times that the average large business identified 998 breaches in the past year*, originating from a range of sources including fraudulent emails, viruses, malware, spyware and ransomware. A significant portion of these attacks caused business disruption and financial losses, with 57% of organisations noting that a breach adversely affected their organisation. *Note: The average figure is pushed up by the minority of businesses that experience hundreds or thousands of attacks in this time frame.
Perhaps one of the most concerning figures in the study, is the revelation that only a quarter of businesses reported their most disruptive breach externally. Further findings indicate that several businesses don’t understand why breaches need to be reported or how they would go about doing so. This has wide-ranging implications for organisations storing personal data in the UK with a crippling GDPR fine of up to €20 million or 4% of global revenue awaiting from May 2018 for organisations that fail to report a breach to a relevant authority within 72 hours.
How to address latest security challenges
Despite the concerns highlighted in the latest Cyber Security Breaches Survey, it is promising that organisations across the UK are becoming acutely aware of the need to have good information security controls and procedures in place. Global security spend is rising but there is evidently still work to be done to ensure businesses maximise the return on their cyber security investments to ensure that critical data and assets are more comprehensively protected..
To help mitigate cyber security risk, many organisations are turning to managed security service providers like Redscan to help make significant improvements to their security posture. Redscan’s comprehensive range of penetration testing, red teaming and managed threat detection services provide invaluable insight into cyber security exposures and essential support in identifying and addressing vulnerabilities. Redscan’s award-winning ThreatDetect™ service facilitates rapid threat detection and response by monitoring network infrastructure for signs of attack 24/7. This ensures swift response and remediation of attacks and allows organisations to report breaches in line with the requirements of the GDPR and other regulations.