Case Studies

Cyber breach survey

by Mark Rowe

Over four in ten businesses (43 per cent) and two in ten charities (19pc) have experienced cyber-security breaches or attacks in the last 12 months. This rises to seven in ten (72pc) among large businesses, and a similar proportion (73pc) among the largest charities with incomes of £5m or more. That’s according to the annual Cyber Security Breaches Survey 2018 from the Department for Digital, Culture, Media and Sport (DCMS).

Breaches were more often identified among the organisations that hold personal data, where staff use personal devices for work (known as bringing your own device, or BYOD) or that use cloud computing. Just under half (45pc) of businesses and two-thirds (65pc) of charities have BYOD. The businesses where this occurs are more likely to have had breaches or attacks (49pc). Senior managers in most businesses and charities prioritise cyber security, but this is still not always matched by action or engagement from senior management, the survey suggested. The survey findings show that half of all businesses (51pc) and three in ten charities (29pc) have brought in all of the five basic technical controls listed under the Government-endorsed Cyber Essentials scheme, such as firewalls, up-to-date malware protection, and restricting IT admin and access rights to specific users.

For the survey in detail visit gov.uk.

Comments

Mark James, security specialist at cyber product firm ESET, said: “Sadly cyber-attacks are part and parcel of our interaction with the digital universe that surrounds us in everything we do. From checking the news in the morning through to ordering your daily shot of coffee for collection, collecting, storing and distributing data is often a key factor of any organisation, no matter of size. Some personal, some private and of course a good amount is public, but regardless of its tag there’s one thing you can sure off – someone, somewhere is trying to get their hands on it.

“If you were in a position to have the expertise and knowledge to design, implement and host your security measures in house so it’s completely in your control, it would be great, but for so many companies that’s just not possible. You will have to rely on someone else’s ability to protect it.

“Securing our perimeters from direct and indirect attacks can be extremely difficult. Often the attackers will utilise methods that the user is actually not only expecting but often essential in their everyday work load. We need to install software or hardware to allow the end user to do their job without having to analyse every aspect of their job, then of course we need to educate them, so if something does present itself they have the tools needed to stop it becoming a business critical issue.”

Tony Pepper, CEO of Egress, said: “What might be surprising for some is that, in spite of what we see on the news, the most common attacks reported are not sophisticated attacks. The most common attack businesses are facing is fraudulent emails or being directed to fraudulent websites, which 75 percent had experienced. By comparison, viruses, spyware and malware attacks only affected 24 percent. Again, this shows that businesses would benefit from focusing on the basics first, which means the actions of their own staff. Education is important, but organisations also have to put in place processes and technology that helps protect staff from making mistakes that put the company at risk. By prioritising their own employees, the vast majority of attacks could be prevented.”

And Simon McCalla, CTO at internet domain registry Nominet, said: “The biggest companies are of course the most at risk of attack, as they are often carrying the most desirable and highest concentration of assets. This means they have to be even more fastidious when it comes to protecting their data. The absence of internal security staff is not hugely surprising, but it is a concern. Increased technology outsourcing is an established trend, meaning that sensitive enterprise data tasks now handled by MSPs with privileged access to critical systems is a particular area for concern. Data breaches can be caused by an insecure connection, a backdoor, or even an inside agent, and huge data losses can be made. Companies with particularly sensitive data need to seriously consider bringing security teams in-house in order to mitigate these risks and have the expertise to deal with any suspicious events as they occur.

“The lack of awareness around DNS attacks is also leaving companies wide open to be compromised. The vast majority of threats use it to get malicious data either to or from a target. By understanding the patterns and anomalies in this traffic and having visibility of malicious domains, threats can be stopped from communicating effectively.”

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing