Despite covid-19 stretching many cyber security teams, cyber security remains a priority for management boards. But it has not necessarily become a higher priority under the pandemic, according to the latest UK Government Cyber Security Breaches Survey.
Three-quarters (77pc) of businesses say cyber security is a high priority for their directors or senior managers, while seven in ten charities (68pc) say this of their trustees. While there have been minor fluctuations in these findings over the past three years, cyber security remains a higher priority compared to a first survey of each group (69pc in 2016 for businesses and 53pc in 2018 for charities).
Half of businesses (50pc) and four in ten charities (40pc) update their senior management teams about the actions taken on cyber security at least quarterly, in line with the 2020 results. However, the percentage of charities reporting that their senior managers are never updated on cyber security has increased since last year (to 23pc, versus 12pc in 2020).
Most businesses (84pc) and charities (80pc) say covid-19 has made no change to the importance they place on cyber. The qualitative research suggests that some have increased their investment in IT and cyber security in response to the pandemic. Many adopted new security solutions, including cloud security and multi-factor authentication, or new rules requiring VPN connections to access files.
These changes were often characterised as being about business and IT service continuity. However, in some cases, interviewees felt that management boards and end users did not fully appreciate the role of cyber security in facilitating long-term business continuity. In the immediacy of the pandemic, cyber security measures were sometimes viewed in the short term as being in conflict with business continuity, rather than complementing it.
The pandemic has led to changes in ways of working. This has made cyber security harder for many, the survey has also found. In qualitative interviews, many organisations explained that the move to home working meant changes in their digital infrastructure. Many issued laptops or tablets to staff, set up Virtual Private Networks (VPNs) or expanded VPN capacity, started using cloud servers and had to quickly approve new software.
Direct security and user monitoring have become harder in remote working. Upgrading hardware, software and systems has also become more difficult. As for the future, many expect to make continuous improvements in their cyber security, which includes, for example, rolling out multi-factor authentication, or tweaking policies and processes to cover Software as a Service (SaaS).
For the full survey visit gov.uk.
Comments
Steve Forbes, Government Cyber Security Expert at Nominet, said: “Nominet has been working closely with the NCSC through the pandemic to bring critical organisations such as the NHS under the protection of PDNS. It has also launched PDNS Digital Roaming, an app which enables the use of PDNS away from the office environment, to facilitate more secure connections. In many ways the past year has done a lot to evolve our cyber response during emergency situations.
At the cyber firm Mimecast, Vice President of the UK, Jamal Shakir said: “It is surprising to see the rate of reported cyber incidents decline in the past 12 months. At Mimecast, our data shows that attack volume surged by 48% during the first year of the pandemic, with 358.96m malicious detections in the UK alone during 2020. There is no doubt that cybercriminals have increased the volume of their attacks on businesses, looking to take advantage of workforces operating remotely for the first time. Unfortunately, it is far more likely that this distributed workforce has actually led to more cyber incidents going undetected, and therefore unreported. This is probably the reason for a decline this year and is very worrying indeed.
“The last 12 months has seen an increase in sophisticated digital-deception campaigns where threat actors combine COVID-19-related social engineering with multi-channel campaigns – including email, social media, collaboration tools, and even phone – to gain credibility with their targets so they can then be tricked into giving away valuable information or credentials. Organisations must not take their foot off the gas and ensure that they have adequate tools and training in place to deal with these attacks.”
And RiskIQ’s EMEA VP, Fabian Libeau, said: “The Government revealing that phishing emails comprise the lion’s share of data breaches from the last year will be a big concern for companies across the UK, but it will also come as no surprise. After all, the COVID-19 pandemic shunted our perception of the world around us, leaving company employees highly vulnerable to targeted social engineering attacks.
“Working from home, combined with the unprecedented situation over the past year, has made it increasingly difficult for employees to ascertain the legitimacy of the emails and social communications they receive. Cybercriminals have made the most of this confusion, and certainly in the early days of the pandemic, the insatiable appetite for information.
“UK businesses must continue to follow the UK Government’s guidance and evaluate their cybersecurity measures to ensure they protect their brand on the internet from the likes of fraudulent spear phishing campaigns. A key consideration should be excellent visibility into web-facing assets and how they are being used across the internet, as well as detecting non-owned assets stood up by threat actors to impersonate the brand.”
Mike East, VP EMEA Sales, Menlo Security, said: “Every company on the planet had to quickly reorganise themselves for a business continuity that very few had prepared for. Many organisations had a disaster recovery (DR) policy for moving from one building to another. But a common theme when talking to CISO’s last year was that nobody was prepared for the move from the safety of the castle and moat security environment that was the office, to that of the employees home connecting over the internet. The shift from the safety of the office or castle to the home, prompted a change in how organisations looked at security. Security very quickly became an enabler and not an overhead at board level. With the change in working practices in 2020 we saw many of our customers and prospects accelerate their digital transformation programs and move traditional on-premise assets and capabilities to the cloud.
“Security professionals have to get security right 100pc of the time and the threat actors only have to get it once to be successful. The problem is that most companies are responding with strategies that focus on detection. In other words, attempting to assess if network traffic is good or it is bad. However, we are seeing many companies take a very different approach. Rather than focusing on detection, which is increasingly difficult and expensive, they are now taking a Zero Trust approach, which is trust nothing and assume everything is bad. A very effective implementation of a Zero Trust strategy is to isolate the user from web and email based connections to the internet. If you do not allow direct access to the internet, you cannot become compromised. As a result companies reduce the costs, increase their employee security and remove the burden on IT staff.”
