The UK Department for Digital, Culture, Media & Sport (DCMS) has published a report on ‘organisational experiences of cyber security breaches’.
In February and March over Microsoft Teams, employees across ten organisations have between them experienced a variety of types of cyber security breach in the last three years were interviewed. Though the ten varied, they did regard themselves taking cyber seriously before they were breached, the stidy found.
Several themes emerged, according to the report. “Firstly, there was a consensus that cyber-crime is a significant and growing business risk, with cyber attacks increasing in both volume and technical sophistication.”
Nearly all those in the study saw the need for ever greater vigilance and investment in cyber-security, “as the controls that were appropriate a few years ago are now seen as less effective. That said, while interviewees from medium and large organisations said they tended to have formal plans in place and budget allocated for further cyber security investment, interviewees from smaller organisations were more likely to assert they did not, largely citing resource constraints.”
The majority felt their organisations put more of an emphasis on technology than employees to stay secure. “For some, technology was a tool to ‘help people do the right thing’, reflecting the widespread notion that people and culture are more of a cybersecurity ‘weak spot’ than the tech.
Most said that their leadership had grasped the importance of cyber and was increasingly supportive of investing in it, with some already treating it as a ‘board level business problem’. Meanwhile, not all were sure that their leadership teams fully understood the ‘scale of the threat’, or the need to change, culturally, to meet the challenge.
As for the actual breaches, in most instances organisations in the study were able to find the cause and fix the ‘weakness’, often drawing on external vendors. For some participants, the breach was a cause of much personal stress. Once the breach was fixed, relatively few were able to, or tried to, measure the financial impact. Likewise, few went through a formal ‘lessons learned’ process in the aftermath of the breach. Despite this, most felt that they were now better protected than prior to the attack, having since strengthened aspects of their cyber security technology, policy, or staff training.
For the full, 40-page report, visit the DCMS website.
Comment
Dan Middleton, VP UK and Ireland at the back-up and data recovery company Veeam said that according to his company’s research, ransomware costs business nearly two million dollars per incident, and that’s just one cyber attack vector. “It’s vital that decision-makers at the very top understand the need for a proactive approach to security and data protection, as they are the people that have the power to make it happen. Business leaders can give security teams the resources required to implement the tools and processes that will work to prevent cyberattacks from occurring in the first place, such as investing in secure, immutable data backups, which are often the last line of defence against ransomware. It’s simply not acceptable that the penny keeps dropping only after data has been accessed by cybercriminals.
“At the most senior level, there is a clear need for every enterprise to have a CISO, and for their advice to be heeded by those at the top. Currently, only 14% of CISOs sit on the corporate board of their business, potentially preventing their expertise and feedback from being prioritised at that level. It is when statistics like this start to grow that it will become clear that those at the helm of their corporations are giving cybersecurity and modern data protection the attention it requires.”
