The latest Cyber Security Breaches Survey 2018 has just been released by the UK Government. The quantitative and qualitative survey reviews UK businesses in an aim to gain an understanding of how UK businesses or varying sizes are approaching Cyber Security. It provides insights into how businesses are prioritising Cyber Security and implementing policies. It also reveals figures with regards to the numbers of businesses that have experienced a Cyber Attack and the implications of those.
As an IT solutions provider to small and medium sized businesses for over 15 years we have seen the threat of cyber attacks increase. This report is always of great interest to us to see if it reflects what we see in terms of cyber attacks. We are seeing an increased trend in Cyber Security awareness and a greater emphasis on making it a priority which will hopefully continue.
We have pulled out the main elements of the report to highlight the areas that will hopefully be useful to you.
Businesses are increasingly using the internet for emails, websites, online banking, social media which is exposing them to cyber security risks.
98% of the businesses questioned in the survey confirmed that they rely on digital communication or services.
The survey also focused on charities who are increasingly at risk to cybercrime. More and more charities are encouraging contributors to make donations online and this is likely to increase. Similarly, beneficiaries are also accessing charities services online.
43% of the businesses surveyed have experienced some form of cyber attack in the last 12 months. For larger businesses (250 employees or more) this figure increased to a frightening 72%.
The most common breaches identified in the survey occurred in organisations that hold personal data, where staff are using their own devices or adopting cloud technology.
47% of the businesses who stated that they held personal data on customers experienced a breach in the last 12 months. Businesses who stated that they allowed BYOD (Bring your own device) showed that they were more likely to experience a breach.
How are breaches impacting businesses?
Over half of the business who experienced a cyber security breach in the last 12 months confirmed that it impacted their business. The figure was higher for charities.
How did a Cyber Security breach in the last 12 months impact your business?
• We needed to implement new measures to prevent future attacks (36%)
• We required additional staff time to deal with the breach (32%)
• Our teams were prevented from working (27%)
Average cost of a Cyber Attack by business size
The breaches that resulted in a loss of assets or data cost some businesses significantly. The average costs were dependent on the size of businesses affected. In the survey they were classified as follows.
Small (10-49 employees) £3,100
Medium (50-249 employees) £16,100
Large (250 employees or more) £22,300
A change in attitudes towards Cyber Security
On a positive note, of the businesses surveyed, 74% said that Cyber Security was now a priority at senior management level. Small businesses in particular, stated it as a very high priority. This saw an increase from 33% in 2017 to 42% in 2018.
The main reasons for raising the priority of Cyber Security seemed to be the acknowledgement that an attack could have a substantial impact on their business, especially in terms of reputation and the financial consequences.
Although the general feeling from the survey is that businesses and senior management are more aware and keen to implement a cyber security strategy, the figures for those businesses that were actively doing so and communicating to management about potential breaches were similar to the 2017 survey, so it is clear more needs to be done to encourage procedures to be put in place and adhered to.
The key to implementing a Cyber Security strategy is ensuring that businesses as a whole have a good awareness and are supported with regular training.
Only 20% of businesses surveyed said that their employees had been offered either internal or external cyber security training in the last year. They highlighted the difficulties that businesses are facing regarding training.
Below are some of the barriers they are encountering.
• Skills gap where current employees don’t have the relevant skills.
• Inconsistency with training due to lack of resources.
• Costs to run training sessions and have employees away from their roles for different periods.
• Lack of access to video training or webinars.
• Lack of evidence to support what value training would bring businesses.
5 basic Technical Controls to help protect against Cyber Attack
• applying software updates when available (92% of businesses and 75% of charities)
• up-to-date malware protection (90% and 73%)
• firewalls with appropriate configurations (89% and 69%)
• restricting IT admin and access rights to specific users (78% and 65%)
• security controls on company-owned devices (65% and 42%).
The figures were also low for other protection methods such as Encryption. Only 37% had rules or controls in place. It highlighted that businesses that held personal information on their customers were failing to implement encryption therefore potentially putting data at risk.
Although there seems to be a positive shift in attitudes towards Cyber Security, there are still a number of businesses who have yet to produce a Cyber Security policy or a plan should an attack occur. Only 27% of the businesses surveyed confirmed that they have a policy in place and only 13% stated that they have Cyber Security Incident Management process, leaving employees with little idea to what to do should the worst happen.
In terms of information, 59% of businesses sought help or advice on Cyber Security in the last year suggesting that more and more businesses are keen to develop their knowledge and ensure that they are doing what they can to protect their business.
Despite the wide range of information available via Government sources, only 4% had used these as a resource. The survey suggests that businesses are keen to seek out information that is specific to their industry and will be able to answer their specific needs. The reality is that the advice is the same across most industries so there is more information available than maybe businesses realise and it’s being overlooked.
Cyber Security Breaches Survey 2018. What have we learned?
So all in all, the survey shows that with an increased use of digital communications, Cyber Security is becoming more of a priority for businesses, however there is still a lot to be done to help protect them from Cyber Attack.
Areas such as BYOD (bring your own device) and cloud technology were highlighted as key risk factors for businesses as those who allowed and used these saw an increase in breaches.
There is greater awareness of the impact a Cyber Attack can have on a business in terms of costs and reputation, especially from a senior level. However the survey highlighted the barriers that businesses are encountering in terms of training limitations and budgets and the figures for businesses who were actually implementing a Cyber Security strategy were similar to last years.
The survey revealed that although there is a wide range of resources out there to help businesses, there is some uncertainty as to which is most useful. Despite various resources available via the Government websites, the perception seems to be that businesses are looking for advice specific to their industry rather than across the board.
There also seems to be a need for initiatives such as Cyber Essentials to be more widely publicised as this assessment will help businesses ensure they are implementing the 5 basic technical controls to help protect against Cyber Attack.