Businesses and charities have raised the floor in cyber security, but there’s room still for a more holistic approach, according to an annual official survey into cyber-security breaches.
The new data protection law arising from the European Union-wide General Data Protection Regulation (GDPR) has encouraged or compelled many organisations over the past 12 months to engage formally with cyber breaches for the first time, or in some cases to strengthen their policies and processes. Some businesses and charities, particularly smaller ones, may be framing cyber security solely in terms of GDPR and data protection. However, the report authors warn, GDPR can only take you so far. What GDPR training organisations gave may have had little about cyber.
More are assessing and documenting their risks, ‘implementing new rules and technical controls, and raising awareness through staff training’. The survey by the Department for Digital, Culture, Media and Sport found cyber insurance becoming a more common part of the approach to cyber risk management, particularly among medium and large businesses. The survey found that board members can do more, and businesses and charities may have ‘an unacknowledged skills gap’. Only a minority of organisations demand minimum cyber security standards from suppliers; and the findings suggest that suppliers are often overlooked as a potential source of cyber risk.
Among businesses, the proportion identifying breaches or attacks (32pc) was lower than in 2018 (when it was 43pc) and 2017 (46pc). The survey could not say why; whether defences have increased, cyber attacker behaviour has changed, or ‘GDPR has taken the focus away from breaches or attacks that are not related to personal data’. The document admitted that in light of GDPR, those responding may have become less willing to admit to cyber security breaches.
Comments
Digital Minister Margot James said: “Following the introduction of new data protection laws in the UK it’s encouraging to see that business and charity leaders are taking cyber security more seriously than ever before. However, with less than three in ten of those companies having trained staff to deal with cyber threats, there’s still a long way to go to make sure that organisations are better protected.
“We know that tackling cyber threats is not always at the top of business and charities list of things to do, but with the rising costs of attacks, it’s not something organisations can choose to ignore any longer.”
For the 66-page survey visit gov.uk.
