Two thirds of large businesses experienced a cyber breach or attack in the past year, says the Department for Culture, Media & Sport. The research also suggests that in some cases the cost of cyber breaches and attacks to business reached millions, but the most common attacks detected involved viruses, spyware or malware that could have been prevented using the Government’s Cyber Essentials scheme.
The Cyber Security Breaches Survey found that while one in four large firms experiencing a breach did so at least once a month, only half of all firms have taken any recommended actions to identify and address vulnerabilities. Even fewer, about a third of all firms, had formal written cyber security policies and only one in ten had an incident management plan in place.
Minister for the Digital Economy Ed Vaizey said: “The UK is a world-leading digital economy and this Government has made cyber security a top priority. Too many firms are losing money, data and consumer confidence with the vast number of cyber attacks. It’s absolutely crucial businesses are secure and can protect data. As a minimum companies should take action by adopting the Cyber Essentials scheme which will help them protect themselves.”
Results from the survey are being released alongside the Government’s Cyber Governance Health Check, which was launched following the TalkTalk cyber attack. It found almost half of the top FTSE 350 businesses regarded cyber attacks as the biggest threat to their business when compared with other key risks – up from 29 per cent in 2014.
That ‘Health Check’ also found that only a third of the UK’s top 350 businesses understand the threat of a cyber attack; only a fifth of businesses have a clear view of the dangers of sharing information with third parties; and many firms are, however, it is claimed, getting better at managing cyber risks, with almost two thirds now setting out their approach to cyber security in their annual report.
Both surveys form part of the Government’s approach to tackling cyber crime, which it says will see £1.9 billion invested over the next five years.
The Government points to its ’10 Steps to Cyber Security’ as advice to large businesses, and the Cyber Essentials scheme is available to UK firms. The Government is also creating a new National Cyber Security Centre offering industry a ‘one-stop-shop’ for cyber security support. A new national cyber security strategy will also be published later in 2016 setting out the Government’s plans.
Comments
Gordon Morrison, Director of Government Relations at Intel Security, said: “These findings are a reminder that cyber attacks are a blight on British businesses and the wider digital economy. There are no quick fix solutions to this threat, but initiatives like the National Cyber Security Centre and the Cyber Essentials programme are a step in the right direction for raising awareness and protecting both the public and private sector from attack.
Tackling this problem requires a combination of skills training, technology investment and a strategic partnership between industry experts and government to ensure the UK is best protected against hackers.”
Matt Middleton-Leal, regional director UK & I, CyberArk said: “Most attacks are preventable if you have the right security precautions deployed in the right place, with minimal interaction from humans to mitigate the risk of human error. In the real world, this simply isn’t possible. For a company to be agile and remain competitive, its employees need to be flexible and responsive to changing demands, rather than caught up in complex processes, requesting and re-requesting access to everyday business applications. IT security isn’t too tricky to implement, but it does require time and effort to ensure a layered approach covers all possible areas of vulnerability. As part of this, automation can help build a company’s security prowess; the automatic rotation of credentials, for example, will repeatedly prove an obstacle for a hacker once inside the network.
“One thing is clear, firms can no longer assume they are only protecting their business from hackers getting in. Time and time again we see examples of attackers sitting within a network for hours, days, weeks and even months, before actually causing irrevocable damage – it’s in this moment of grace that an organisation has its best chance to identify the attacker and lock them out.”
Bill Walker, Technical Director at QA said: “So far, this year has been a bumper time for cyber threats, cyber attacks and cyber crime and the government’s most recent statistics reflect exactly that. With this investment the Government appears to be taking the threat to business and infrastructure very seriously. We wholeheartedly welcome this investment. Businesses need hands on experience and training in order to prepare for the worst. They need their staff to be able to simulate and react to a real life threat in a secure physical environment.”
Simon Crosby, CTO and co-founder, Bromium, said: “The findings confirm that the cyber security landscape in the UK is similar to other advanced nations: We are experiencing sustained targeted attacks that legacy detection technologies cannot see or stop. Organisations need to urgently adopt a new posture that protects endpoint systems by design using virtualization based security. It is unrealistic to expect that OS vendors or application vendors can stay ahead. A radical change is urgently needed.”
David Navin, Head of Corporate at Smoothwall, said: “It is astonishing that half of UK businesses are not tackling the ever growing threat. It is now not about if a cyber attack occurs, but rather, when. In this digital age companies must have a robust security system in place in order to protect themselves once they fall victim to an attack. It is essential that they start with the basics. Beginning with a firewall, encryption and good security software, if companies have those measures in place and continue to layer on top of that, then it will reduce the chances of a data breach or attack.
“However security needs to be taken seriously throughout companies by all of their staff. It is common knowledge now that the majority of security breaches occur due to human error. Ensuring a strong security culture is instilled throughout the workforce therefore is vital to ensure staff are constantly vigilant and aware of the threats. Security needs to be taken seriously at all points of the organisation, to ensure that all employees understand the risks of their actions and know the security processes in place should an incident occur to mitigate the risks.”
Lee Meyrick, Director of Information Management at Nuix, said: “Information transparency can have huge impact on how secure an organisation is from data breaches—whether these are internal or external– and how effectively it can respond to incidents. The first step towards responding efficiently to breaches and closing information security gaps quickly, is understanding where important data is stored. This is easier said than done, as about 80% of organisational data is unstructured, meaning it’s in complex formats – such as emails, databases, photos, and presentations– that are difficult to search and understand. As a result, while 96% of organisations have an incident response plan in place, not all understand where their data lies across the enterprise.
“The key principle is making sure the only people who can access high-risk data are those who need to for day-to-day work. In order to achieve this, information security, information governance and records management specialists need to become “good shepherds” of their data. They should know where all their sheep are, segregate them into separate fields, make sure the fences between fields are sound and regularly check to ensure the sheep are healthy. In this way, even if a wolf manages to get into one of the fields, most of the flock will be safe. Information governance technology can locate data “in the wild” and move them to controlled, siloed repositories protected with encryption, access controls and retention rules, and apply policies to ensure only authorised staff members have access to important information using devices appropriate for the type of data.”
Rob Lay, Customer Solutions Architect in UK & Ireland at Fujitsu, said: “The fact that two thirds of businesses in Britain have been targeted by cyber-attacks in the last year should come as no surprise. You just need to take a look at the amount of companies being hit by attacks to see the rapid growth of fraud, malicious intent and attack capabilities. What is more shocking is that half of firms are still not tackling this issue. According to Fujitsu’s predictions report, we can expect a growth of DDoS attacks, insider threats and also phishing in the next year, and as such everyone should be doing more to prevent theft. Because of this, it’s vital both consumers and organisations take a proactive approach when it comes to security. Organisations need to focus on the integration of threat intelligence and other information sources to provide the context necessary to deal with today’s advanced cyber threats. There must also be a clear and well-rehearsed incident management plan for a breach, addressing internal and external communication in addition to containment and recovery activities.
“As the sophistication and regularity of security attacks continue to increase, it has never been more important for both consumers and organisations to protect their assets appropriately.”
Chris McIntosh – CEO, ViaSat UK, said: “This research from the government shows that cyber-attacks represent a growing threat to the UK’s economy and more still must be done by businesses to protect against the risk. These attacks are becoming more sophisticated by the day and now provide a lucrative opportunity for malevolent parties to disrupt, coerce and steal money and sensitive customer data from businesses. As such, I’m not too surprised to see these attacks and breaches are affecting more businesses. I am surprised, however, that despite half of FTSE 350 businesses seeing cyber-attacks as the biggest threat to their business, the policies and technology they have put in place do not reflect this. In the modern threat landscape complacency is no longer an option – companies need to review their entire IT systems from top to bottom; ensuring there are no unprotected points of entry for potential attackers and that all points of access are secured and all sensitive data is encrypted. The fact is that many organisations could already have been compromised, and not know till months or years later. Organisations need to assume that they have already been compromised and work backwards on this basis; only then can they trust that the network is secure and behaving as it should be. This will not only protect against the immediate threat of a cyber-attack but will also help preserve company reputation and ensure the health of UK industry for the foreseeable future.”
And Rohyt Belani, CEO and co-founder, PhishMe, said: “The fact that nearly seven out of ten attacks on all firms involved viruses, spyware or malware doesn’t surprise us as it’s what we hear from customers and see in our own research. The problem for many is that these infections are often spread via phishing campaigns, and nearly all will be successful as they bait users to open tainted emails that often bypass stringent technology layers to reach the user’s inbox. Employees can be too busy, distracted or trusting to give much thought to the possible risks. While any Government backed initiative does help raise awareness of the cyber security risks and rewards, it is not going to magically protect organisations from those threats.
“Organisations need to accept that technology and frameworks alone are not enough. It’s essential that companies condition and empower their employees to not only recognise and avoid a phish when they encounter one, but to report malicious emails internally – sourcing a bevy of rich human intelligence essential for improving incident response times and thwarting phishing attacks before they become successful. Since attacks often target groups of people across an enterprise, employees quickly become the last line of defence and should be properly prepared. For every suspicious email reported, it helps prevent the rest of the staff by being caught in a malware trap because security operations is aware of what the phishing email looks like and can respond appropriately.”
