WavebreakmediaMicro - Fotolia
More than four in 10 UK businesses suffered a data breach or cyber attack in the past 12 months, according to the government’s latest Cyber security breaches survey report.
With just one month to go until new data protection laws come into force, UK businesses are being urged to protect themselves, with statistics showing that more than four in 10 businesses (43%) and two in 10 (19%) charities suffered a cyber breach or attack in the past year.
This figure rises to more than two-thirds for large businesses, 72% of which identified a breach or attack in the past year. For the average large business, the financial cost of all attacks over the past 12 months was £9,260, with some attacks costing significantly more, according to the report based on a survey of more than 1,500 UK businesses and 569 UK registered charities.
The most common breaches or attacks were via fraudulent emails, often attempting to trick staff into revealing passwords or financial information, or opening dangerous attachments. These were followed by instances of cyber criminals impersonating the organisation online, then malware and viruses.
Minister for digital and the creative industries Margot James said: “We are strengthening the UK’s data protection laws to make them fit for the digital age, but these new figures show many organisations need to act now to make sure the personal data they hold is safe and secure.
“We are investing £1.9bn to protect the nation from cyber threats and I would urge organisations to make the most of the free help and guidance available for organisations from the Information Commissioner’s Office [ICO] and the National Cyber Security Centre [NCSC].”
As part of the government’s Data Protection Bill, James said the ICO would be given more power to defend consumer interests and issue higher fines to organisations, of up to £17m or 4% of global turnover for the most serious data breaches. The bill requires organisations to have appropriate cyber security measures in place to protect personal data.
“The government is also introducing regulations to improve cyber security among the UK’s critical service providers in sectors such as health, energy and transport, and we have established the world-leading National Cyber Security Centre as part of plans to make the UK one of the safest places in the world to live and do business online,” she said.
Ciaran Martin, CEO of the NCSC, said: “Cyber attacks can inflict serious commercial damage and reputational harm, but most campaigns are not highly sophisticated.
“Companies can significantly reduce their chances of falling victim by following simple cyber security steps to remove basic weaknesses. Our advice has been set out in an easy-to-understand manner in the NCSC’s small charities and business guides.”
The new statistics also show, among those experiencing breaches, that large firms identify an average of 12 attacks a year and medium-sized firms an average of six attacks a year.
Smaller firms are still experiencing a significant number of cyber attacks, with more than two in five micro and small businesses (42%) identifying at least one breach or attack in the past 12 months, which could affect profits and reduce consumer confidence, the government report said.
Raft of cyber security advice freely available
However, the survey shows more businesses are now using the government-backed, industry-supported Cyber Essentials scheme, which the government describes as a “source of expert guidance” showing how to protect against cyber threats.
The survey reveals that nearly three-quarters of businesses (74%) and more than half of all charities (53%) rank cyber security as a high priority for their organisation’s senior management.
Organisations have an important role to play to protect customer data, the government said. Small businesses and charities are urged to take up tailored advice from the National Cyber Security Centre. Larger businesses and organisations can follow the 10 steps to cyber security for a comprehensive approach to managing cyber risks and preventing attacks and data breaches.
Organisations can also raise their basic defences and significantly reduce the return on investment for attackers by enrolling on the Cyber Essentials initiative and following the regularly updated technical guidance on Cyber Security Information Sharing Partnership and the NCSC website.
Raj Samani, chief scientist and fellow at security firm McAfee said that unfortunately, awareness of government initiatives and communications around cyber security remained low.
“Just 3% recalled using government information, advice or guidance, with most organisations unaware of most initiatives,” he said. “Given that 84% of organisations that used government resources found the information useful, it is clear that more needs to be done to promote their use. With such a wealth of information and partnerships with leading security providers, it is imperative that more is done to promote and educate businesses on what resources they have and how it can help.”
Information commissioner Elizabeth Denham said: “Data protection and cyber security go hand in hand: privacy depends on security.
“With the new data protection law, the General Data Protection Regulation (GDPR), taking effect in just a few weeks, it’s more important than ever that organisations focus on cyber security. That’s why we’ve been working with the Department for Culture, Media and Sport (DCMS) and the NCSC to offer practical security steps that organisations can consider to keep data safe.
“We understand that there will be attempts to breach systems. We fully accept that cyber attacks are a criminal act. But we also believe organisations need to take steps to protect themselves against the criminals. I’d encourage organisations to use the new regulations as an opportunity to focus on data protection and data security,” she said.
Organisations which hold and process personal data are urged to prepare and follow the guidance and sector FAQs freely available from the ICO. Its dedicated advice line for small organisations has received more than 8,000 calls since it opened in November 2017, and the Guide to the GDPR has had over one million views. The ICO also has a GDPR checklist, and 12 steps to take now to prepare for GDPR.
The survey also revealed that larger businesses and charities were more likely to identify cyber attacks, and breaches were more likely to be found in organisations that hold personal data and where employees use their personal devices for work.
Organisations still neglecting basic security
Unsurprisingly, the survey data shows that a huge proportion of all organisations are still failing to get the basics right. A quarter of charities are not updating software or malware protection, a third of businesses do not provide staff with guidance on passwords, and more than one in 10 (11%) of large firms are still not taking any action to identify cyber risks, such as health checks, risk assessments, audits or investing in threat intelligence.
Peter Carlisle, vice-president for Europe at Thales eSecurity, said that although the report reveals that businesses and charities have certain cyber security controls in place, it is “worrying” that only 37% of businesses encrypt personal data, with the figure being just 31% for charities. “Data encryption should be considered a minimum level of security for organisations, as all data will then be rendered useless in any kind of breach or leak.
“According to our Global data threat report, over a third of organisations have suffered a data breach in the past year, and with the GDPR coming into force in a month’s time, companies need to ensure that they have taken the required steps to protect all data or risk facing devastating fines,” he said.
Also on the topic of security controls, James Romer, chief security architect for Europe at SecureAuth, said many of the threats organisations were facing could be addressed through complete identity management platforms, combining identity access controls alongside user awareness programmes.
Peter Carlisle, Thales eSecurity
“It appears from the report that businesses and charities have not correctly identified the importance of implementing strategic identity solutions as a priority to improve their cyber defences. It’s clear that with identity and credentials accounting for the majority of data breaches, more awareness and focus needs to be put on comprehensive authentication techniques to shore up organisations’ defences and prevent cyber attacks in the future,” he said.
Organisations need to go further than just two-factor authentication, said Romer, using identity platforms that join silos of data together to create comprehensive identity controls. “Part of those controls should be to implement adaptive authentication that combine techniques such as geographic location analysis, device recognition, IP reputation-based threat services, and phone fraud prevention to address the threats at the identity level efficiently,” he said.
Greg Day, vice-president and chief security officer for Europe at Palo Alto Networks, said the report shows that very little has changed from previous years. “While there are some positive improvements since the last report, in particular more regular senior level engagement, generally it is disappointing because virtually all UK businesses rely on some form of digital communication or services, and the frequency of attacks is edging up.
“It’s really important that businesses get basic hygiene right, otherwise you’re just putting hard work, customer data and day-to-day business operations at risk. We need to establish whether the problem is due to lack of knowledge, skills or resource, or a combination of all three.
“Traditional cyber security mindsets have created a heavy human workload, which take up resources. But we’re now seeing new legislation which leverages the concept of state-of-the-art cyber security that allows for much greater automation and efficiencies.
“As such, businesses need to consider if they have a modern, state-of-the-art security operating platform or a legacy of components. For resource-poor businesses, the cyber security industry has started to offer security as a service, so businesses that don’t have the skills internally can leverage others,” he said.
On the topic of cloud security, Day said the report tallies with Palo Alto research that security policies cover cloud computing only 59% of the time. “This rush to the cloud is not taking full account of the security risks. We know from our own research that despite most cyber security professionals (64%) saying security is a top priority for their adoption of the public cloud, less than half of respondents are very confident that existing cyber security in the public cloud is working well, and only 19% of those we spoke to said they had the correct level of involvement in the security of cloud services,” he said.
Visibility is critical to IT security, said Day, but the move to the cloud has brought with it multiple suppliers and new responsibilities for security, which is making visibility harder. “Our research found that only around one in 10 (13%) cyber security professionals said they were able to maintain consistent, enterprise-class cyber security across their cloud(s), networks and endpoints. If we can’t see or understand what good looks like, and can’t consistently apply controls to enable our increasingly digital businesses, then we should expect future reports to only get worse. The capabilities and opportunities are there for improvement – businesses just need to take them.”
Security awareness needs effort
Laurance Dine, managing principal, investigative response at Verizon, said it was particularly noteworthy that around three-quarters of all breaches were linked to staff receiving fraudulent emails, indicating there is still much work to be done on employee education.
“Employee awareness schemes are critical to ensuring staff are equipped with the ability to spot fraudulent emails and learn to be more cynical to keep the organisation safe, so it’s a concern that just one in five businesses have such training in place,” he said.
Piers Wilson, head of product management at Huntsman Security, said that just as we do not let people drive without getting their licence, every untrained employee could pose a threat. “It should be about helping staff see why those are necessary and the consequences of ignoring them. Right now, too many people just see security as something that blocks them from doing their job rather than keeping the business safe. Until that changes, security is going to remain an afterthought and we’ll continue to see reports like this.”
Laurance Dine, Verizon
Rashmi Knowles, field CTO for Europe at RSA Security, said it was worrying that despite most UK businesses claiming cyber security is a high priority, less than a third of businesses give cyber security responsibility to a board member. “Only 35% employ information security staff, cyber security training programmes are pretty scarce, and less than three in 10 businesses have a security policy in place. It’s no surprise we are seeing so many businesses get hacked.
“Organisations need to stop paying lip service and start putting the right people, processes and technologies in place to manage this risk to their business. The worlds of security and risk are converging, and organisations desperately need to recognise that cyber security is a business problem – it’s no longer acceptable to feign ignorance, or claim that your business isn’t at risk, as one in five UK businesses have claimed this year.
“With GDPR just a month away, organisations are in for a rude awakening, as the costs outlined in this report are likely to skyrocket over the next 12 months. Businesses simply can’t afford to wait until a breach occurs to start taking security seriously. Organisations need to take a business-driven approach to security, where they assess their most important assets and scale security accordingly, to ensure a company’s most important assets, such as IP and customer data, are secured through layered security, multifactor authentication, advanced threat detection and complete visibility of IT infrastructure,” she said.