Cyber attacks have evolved and become more frequent, according to the latest UK survey for the DCMS (Department for Digital, Culture, Media and Sport).
Almost half of businesses (46 per cent) and a quarter of charities (26pc) report having cyber security breaches or attacks in the last 12 months. As in previous years, this is higher among medium businesses (68pc), large businesses (75pc) and high-income charities (57pc). The findings are not all gloomy; the report says that organisations have become more resilient to breaches and attacks. They are less likely to report negative outcomes or impacts from breaches, and more likely to make a faster recovery. Also, the survey found ‘greater board engagement in cyber security and increased action to identify and manage cyber risks’ – which as the report added, may account for the resilience.
However, organisations could still do more, on audits, cyber insurance, supplier risks and breach reporting; though the report admits that businesses may not know what good practice is. And as the report says, reporting may mean different things – to IT or cyber security providers as part of incident response, reporting financial losses to banks and insurers, public declarations to customers or suppliers, or reporting to the authorities.
As for what to do and who to do it, the survey found banks, insurance companies and accountants often played a major role in guiding organisations on cyber; and audit was a time to think cyber, or changes in tech, such as to operating systems or moving to a cloud server. On that theme, the survey found that organisations did not always make improvements to cyber security for their own sake. Instead, they often made wider technological changes, such as doing tax returns online or moving to Office 365 or Windows 10; and and then updated their cyber policies and processes.
And as in the physical world, a breach could be the trigger for change. The survey gave the example of an unnamed ‘large payroll business’. “They were infected by malware that led to their mail server sending fake invoices to their clients. Staff spent time dealing with clients and their bank to resolve the issues. Following the incident, they changed their firewall provider, IT provider, and mail server.”
Changes in society to make people more aware of cyber security – ‘news coverage of cyber security breaches, the increasing prominence of cyber security in people’s personal lives (eg when they interacted with banks)’ – also has had an effect on staff.
As for supplier risks, the survey suggested that some see those risks narrowly, in terms of IT and internet service providers and other digital service providers; rather than anyone they deal with digitally and have data on. A lack of transparency from suppliers made it hard to understand risks from the wider supply chain. Many surveyed did not know who their suppliers’ suppliers were.
Visit https://www.gov.uk/government/collections/cyber-security-breaches-survey.
Comments
Ed Macnair, CEO of Censornet said that the survey showed the ‘increasing sophistication and threat from email attacks’. He said: “The volume of phishing and impersonation attacks continues to rise, showing that cyber criminals are turning to social engineering tactics to access organisation’s sensitive data. The statistics show plainly that these attacks are far more prevalent than the likes of ransomware attacks but they make the headlines far less. Organisations may think they have their email security under control but they evidently need to think again.”
Jens Monrad, Head of Mandiant Threat Intelligence, EMEA FireEye said his firm had seen hackers become a lot more sophisticated in their tactics with careful planning and execution. “Most of the ransomware deployments take place three or more days after the initial infection. This means that even if an organisation does fall victim to having their network and data compromised, there is some leeway between the first malicious action and ransomware deployment.”
More must be done by businesses to increase resiliency and preparations for when – not if – they are targeted, said Margarete Mcgrath, Chief Digital Officer at Dell Technologies. Businesses must take an holistic approach to building business resilience supported by investment in cyber resilience and business continuity activities that will enable businesses to further minimise their losses when they suffer an attack, she said. “Areas that businesses should prioritise include safeguarding critical data, improving data isolation protocols, investing in artificial intelligence (AI) and machine learning (ML) tools that can keep businesses one step ahead of malicious actors and having automated disaster recovery processes in place. Education and business readiness are also vital. Businesses should undertake regular senior leadership wargaming activities to build awareness and readiness and continually assess supplier and partner risks. They also need to consider how they protect emerging technologies.”
The sheer number of attacks registered last year is indicative of the fact that many organisations still need to invest more in the right infrastructure and skills, said Rob Norris, VP Head of Enterprise and Cyber Security EMEIA at Fujitsu. He said: “Cyber criminals have become increasingly bold, creative and better equipped, finding new ways to trick people into revealing compromising sensitive financial and personal data. This means that “suspicious behaviour” is getting harder to detect. While continued investment in technical and security controls is paramount, employees are those on the front line so upskilling staff and making them more cyber aware will be one of the most cost effective ways of reducing the impact of cyber-attacks.”
Cybercriminals and threats are constantly evolving, as is the landscape within which they operate, said Jérôme Robert – director at cyber firm Alsid. “Take the current COVID-19 pandemic which is gripping the world: massive changes in workstyles driven by remote working are a gift for hackers. Likewise we talk a lot about the rise of AI applications to boost security, but don’t forget that cybercriminals also have access to AI which they can use to launch more dangerous, targeted attacks in higher volumes thanks to automation. Ransomware is seen as a common threat these days and it is downplayed in the report, but daily headlines show how punishing it can be.”
Chris Miller, Regional Director UK and Ireland at RSA Security was reassured that the survey reflects that cybersecurity has, slowly but surely, risen up the agenda to become a business-wide and board-level issue. “The challenge the industry faces is no longer one of awareness, it’s about how to put in place achievable yet effective measures to manage the huge variety of digital risks businesses face. One such digital risk that the survey highlights, is that of suppliers. There’s no doubt that third parties are hugely important in today’s hyper-connected business environment, but they’re also a potential source of data breaches and are often targeted by malicious parties to leapfrog into other businesses’ networks.”
Simon Newman, Head of Cyber and Business Services for PCPI (Police Crime Prevention Initiatives) said: “The statistics lay bare the nature and scale of the problem affecting UK businesses. It’s worrying that almost half of all businesses have suffered at least one cyber attack or breach within the last 12 months and that a third of those businesses take no action at all to reduce their vulnerability after they have fallen victim.
“Businesses constantly need to be at the top of their game. With the frequency and volume of attacks growing, cyber criminals are becoming increasingly sophisticated in the way they target businesses, so it’s good to see the survey include a focus on supply chains for the first time.
“There are also some worrying messages for Government and the law enforcement community. Just 2pc of businesses turn to Government for information about cyber security which is reflected in a lack of awareness about government-backed schemes, including Cyber Essentials. It’s clear that we need to work more smartly together in support of the National Cyber Security Strategy. We need to ensure that businesses have access to trusted, impartial and up to date advice that will help them reduce their vulnerability to the overwhelming majority of cyber crime.
“There are however, some encouraging signs that businesses are responding to the threat. With 80pc of businesses seeing cyber security as a high priority, businesses are becoming better at understanding how cyber-crime may affect them and are increasingly likely to implement cyber policies within their organisation. Staff are also playing their part in reporting suspected attacks or breaches, helping businesses deal with them more quickly, thereby reducing the potential impact.”
