Frequency of cyber attacks is rising, the Cyber Security Breaches Survey 2022 report from the Department for Digital, Culture, Media and Sport (DCMS) has suggested.
Some 39 per cent of UK businesses identified a cyber attack, as consistent with previous years of the survey. As enhanced cyber security leads to higher identification of attacks, the survey organisers suggest that ‘less cyber mature’ organisations may be under-reporting.
The most common threat vector was phishing attempts (83pc). Of the 39pc, around one in five (21pc) identified a more sophisticated attack type such as a denial of service, malware, or ransomware.
As for ‘tone from the top’, around four in five (82pc) of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority; that’s an increase from the 77pc in 2021. Not as many, 72pc, in charities rate cyber security as a ‘very high’ or ‘fairly high’ priority. When the surveyors went on to do interviews, they found that limited board understanding meant the risk was often passed on to others, such as outsourced cyber providers, insurance companies, or an internal cyber colleague.
As for incident management policy, it’s limited, with only 19pc of businesses saying they have a formal incident response plan. Only 6pc of businesses have the Cyber Essential certification and 1pc have Cyber Essentials plus, put down largely due to relatively low awareness.
DCMS Cyber Minister Julia Lopez said: “It is vital that every organisation take cyber security seriously as more and more business is done online and we live in a time of increasing cyber risk. No matter how big or small your organisation is, you need to take steps to improve digital resilience now and follow the free government advice to help keep us all safe online.”
Cyber Security Breaches Survey 2022 was carried out for DCMS by Ipsos MORI with the fieldwork conducted between October 2021 and January 2022. You can view the survey at the DCMS website; surveyed were UK businesses, charities and educational institutions.
Comments
Alexandra Willsher is Senior Sales Engineer, at the cyber firm Forcepoint. She said this year’s survey highlighted how much senior leadership within organisations have limited understanding of cyber risk and are often turning to cybersecurity vendors or insurance companies to handle it. “While there’s nothing wrong with turning to expert advice, cybersecurity is a challenge that can’t simply be outsourced. Tackling cyber threats adequately requires the efforts of everyone right across an organisation to play their part.
“Adapting to cyber risk is now both a cost and a driver of doing business today. Beyond generating revenue through ransom payments, cybercriminals and nation-states are stealing more than just data, but also highly sensitive IP and other competitive information. The DCMS survey highlights how enhanced awareness of cyber threats and detection ability clearly enables greater identification of attacks – but also the fact that those organisations who are less cyber mature, likely aren’t even knowing they’re being compromised or tested. With over a quarter of respondents saying they estimate they’re being attacked at least once a week, the amount of attempts that are slipping through undetected are significant.
“This shows a deliberate focus by cyber criminals on targets that are perceived to be less well equipped at defending themselves. As an example, banks are well aware of what they have to lose, and are therefore expected to have greater resources when it comes to defence. Those that are least well-equipped to defend themselves are also probably least aware of their obligations when it comes to reporting. The NCSC Cyber Essential scheme is an excellent resource for the smaller enterprise.
“Modern business is highly data driven, and unfortunately cybercriminals are keenly aware of this. To respond, leaders must align their planning around detecting and responding to cyber threats with the wider risk management they’re doing in running their organisations, in order to keep their exposure risk low.”
Rick Jones, CEO and Co-Founder, DigitalXRAID said supply chain vulnerability is still a key issue for businesses. The survey found that only 13pc of organisations review the risks posed by their immediate suppliers, a figure that falls to 7pc for the wider supply chain. “Yet the assumption that supply chains cannot pose a serious cyber risk is a dangerous one, as shown by successful attacks through third parties such as James Hall and SPAR, or more recently the highly publicised Okta breach. Cybercriminals are becoming increasingly sophisticated and targeted in their attacks and have learned that leveraging back-door entry points through smaller, less cyber-equipped points of the supply chain is an effective way to exploit small businesses and gain access to larger ones.
“To mitigate these risks, it’s promising that small, medium, and large businesses are already outsourcing their IT and cybersecurity to an external supplier 58pc, 55pc, and 60pc of the time respectively. By working with a certified security partner, organisations can benefit from access to greater expertise and resources, drawing on the aggregate value of cyber professionals with extensive knowledge of the threatscape. This is especially pertinent for smaller organisations that simply do not have the resource in house for constant threat monitoring, and considering the continued growth of the cyber skills gap. An outsourced Security Operations Centre (SOC), in particular, can help protect businesses of all sizes with 24/7/365 threat monitoring to detect and neutralise any potential breach.”
And Dan DeMichele, VP Product Management at LastPass said: “Fast evolving threats have never been higher on the news agenda yet despite heightened awareness we’re yet to see the urgency of the threat match the level of action taken by individuals at every level across businesses of all sizes from SMB through to large-scale enterprise. Strikingly, only 8pc of organisations have set up multi-factor authentication and ensured employee passwords were changed since their most disruptive breach or attack. These figures highlight the scale of the challenge that awaits UK businesses in shedding complacency and taking simple yet essential steps to make effective cyber hygiene a reality.
“As we can all see in the current environment, it’s imperative that companies strengthen their cyber defences and prepare for potential hacking attempts. While many smaller businesses may not consider themselves at risk, they are actually some of the most sought-after targets for hackers looking to make money.”
