Some businesses still do not have basic protections or have not formalised their approaches to cyber security, according to an official UK survey. Yet just under half (46pc) of all UK businesses identified at least one cyber security breach or attack in the last 12 months. This rises to two-thirds among medium firms (66pc) and large firms (68pc).
As for the outcomes of a breach, that might be a temporary loss of files or network access or corrupted files; and staff having to take time on the breach. External reporting of breaches except to a cyber security services provider remains uncommon.
Under two-fifths have segregated wireless networks, or any rules around encryption of personal data (37pc in each case). Only a third have a formal policy that covers cyber security risks (33pc), or document these risks in business continuity plans, internal audits or risk registers (32pc). Less than a third (29pc) have made specific board members responsible for cyber security. A fifth (20pc) of businesses have had staff attend any form of cyber security training in the last 12 months, with non-specialist staff being particularly unlikely to have attended. One fifth (19pc) are worried about their suppliers’ cyber security, but fewer (13 per cent) require suppliers to adhere to specific cyber security standards or good practice.
The survey found that virtually all UK businesses covered by the survey are exposed to cyber security risks, as majorities have websites, and use social media and cloud computing services.
The survey organisers point out that firms who consider online services to be core to their business to a large extent are also those where BYOD is more prevalent (57pc, versus 46pc overall). This means that businesses who are perhaps more exposed to cyber security risks related to BYOD could also have the most to lose from a significant BYOD related breach, it’s suggested. The specific threat of ransomware has underscored the value of any electronic data that businesses hold, not just personal or financial data. The survey organisers suggest having a senior individual in charge of cyber security, someone who can have direct contact with senior managers and can influence decision-making in the business; and that board members should be educated on the topic, enabling them to share knowledge and best practice across the businesses they are involved in. And people are being more exposed to cyber attacks, such as phishing scams, in their personal lives.
Three in five (58 per cent) of businesses have sought advice or guidance on cyber security threats facing their organisations over the past year. The top specific sources of information mentioned are external security or IT consultants (32pc) as well as online searches (10pc), while only 4 per cent mention Government or other public sector sources.
About the survey
It was carried out by Ipsos MORI, with the Institute for Criminal Justice Studies at the University of Portsmouth: a telephone survey of 1,523 UK businesses from October 2016 to January 2017, and 30 interviews in January and February 2017 to follow up businesses that took part. For the 66-page survey in full visit https://www.gov.uk.
Comments
John Madelin, CEO at Reliance acsn, said: “Ahead of GDPR coming into force next year, the DCMS [Department for Culture] report has some interesting findings, especially with regard to reporting data breaches externally. Under GDPR businesses will have to notify authorities of a data breach within 72 hours and without undue delay. With almost half of UK businesses suffering a cyberattack in the past 12 months, and larger firms suffering them on a monthly or daily basis, it’s clear that businesses still are struggling with getting basic security right. As businesses become more and more digitised it’s crucial that organisations understand what their critical assets are, where they are stored and who has access to them. Once businesses get to get to grips with these basics, implementing a comprehensive security plan becomes far easier and can serve to mitigate the costly impact of data breaches.”
Robert Capps, VP of business development at NuData Security, said: “It is revealing that the report finds one in five businesses have been hacked, and that only 24 percent have protective measures in place. The inevitable conclusion, even though the correlation isn’t made in this particular report, is that companies are still slow to respond to the risk of cyber attack until it happens, at which point, then they acquire necessary protections. A situation which leaves companies vulnerable and only perpetuates the risk of cybercrime online.
“The report indicates that enterprises are more likely to be attacked than SMB’s, yet defines a large company as over 100 employees. Other reports, such as the Symantec’s 2016 Global Threat Report indicate that only 35 percent of cyber attacks target large enterprises over 2500 employees. Whatever the exact breakdown is, SMB’s are typically less prepared than larger enterprises which usually have large fraud and security teams in place. Enterprises present bigger targets and are hit with different sorts of attacks. No matter what their size, all businesses should take note that computer intrusions and hacking are now a fact of life. Small or large, companies should ensure that they have appropriate incident response processes and preventative measures in place and make sure that there are no single points of failure in the response chain. All online businesses should make ensure that an appropriate accounting of actions, impacts, and learnings are provided to senior management, so improvements can be instigated. Poorly managed computer intrusions lead to most unmitigated data theft incidents, such as we’ve seen in recent high profile breaches.”
Alex Guillen-Estudillo, Go-to-Market Manager, Insight UK, said: “Cyber-security is once again leading the news agenda and unfortunately the story has not changed, UK businesses are still not protecting themselves against hackers. The BRC’s survey is yet another warning of the necessity for every organisation – no matter how large or small – to have a robust approach to its data management. As digital transformation continues to revolutionise the world every organisation, no matter the industry, is at risk of a cyber-attack or a human error data breach. What’s most worrying about this report therefore, is the finding that only a quarter of those surveyed said their businesses had security measures in place to minimise risks.
“This is why it is crucial that cyber security is considered a necessity, rather than a ‘nice to have’. Only then will we not only reduce the fallout of an incident, but will be better equipped to identify ways to minimise, mitigate risk should a data breach happen. If the UK’s corporate landscape want to continue as world leaders, they need to not only take responsibility for their cyber future but also take advantage of the numerous tools and services that will help cement their cyber security practice. This will ensure they have the best chance at ensuring their reputation as a trustworthy business is maintained.”
Paul Farrington, Manager, EMEA Solution Architects, Veracode, said: “As we edge ever closer to new, more robust data protection legislation – such as the GDPR – businesses must take a more proactive approach to safeguarding valuable and sensitive information, such as customer data.
“With the single biggest source of data loss resulting from application vulnerabilities last year, IT leaders must place an emphasis on discovering and plugging any gaps that may exist today. Following a breach, we all know it isn’t just data a company loses, and no longer can firms continue the ‘it won’t happen to us’ approach. If hackers are the only ones searching for vulnerabilities across an organisation’s digital ecosystem, it is clear who will find them first.
“Tackling this problem will therefore require a complete shift in terms of how applications are developed, built and maintained, with developers who drive innovation working hand-in-hand with those designed to safeguard data. Only by implementing this change can organisations future-proof themselves against the growing threat of a cyberattack.”
Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, says: “This report delivers another stark warning that every business will eventually fall victim to cybercrime. It’s also worth noting that Government reports typically under-report scenarios rather than exaggerating them, meaning the issue is more severe than suggested.
“The cloud still seems to be causing a security headache. Regardless of whether they admit it or not, 100 percent of businesses use the cloud in some capacity every single day. It doesn’t have to be for critical functions, but it could be something as small as an employee accessing personal social media accounts. What is worrying therefore, is that the report reveals that nearly half of businesses do not cover the use of cloud within their cybersecurity policies*. Firms cannot expect employees to understand the threats if they do not even recognise that the technology is in use. It’s similar to teaching children to cross the road safely without recognising that roads exist.”
