weerapat1003 - stock.adobe.com
Government urges businesses and charities to up cyber security
The UK government is urging businesses and charities to take action to prevent cyber attacks as the costs go up, despite an overall reduction in breaches, partly driven by new data protection laws
The proportion of UK organisations being hit by cyber attacks and data breaches has dropped in the past year, official statistics show, but government says there is more work to be done and industry experts suggest this should focus on cyber resilience.
The government’s Cyber security breaches survey 2019, based on a poll of more than 2,000 organisations, shows 32% of businesses identified a cyber security attack in the past 12 months, down from 43% the previous year.
The reduction is partly due to the introduction of tough new data laws under the EU’s General Data Protection Regulations (GDPR) and the UK’s new GDPR-aligned UK Data Protection Act. As a result, 30% of businesses and 36% of charities have made changes to their cyber security policies and processes.
However, of those organisations that did suffer attacks, the average number of breaches has risen from four in 2018 to six in 2019. Therefore, businesses and charities suffering cyber attacks and breaches appear to be experiencing more attacks than in previous years.
And where a breach resulted in a loss of data or assets, the average annual cost of cyber attacks on a business has gone up by more than £1,000 since 2018 to £4,180, while the average annual cost for charities is higher at £9,470.
The data also shows the average costs faced by larger businesses tends to be much higher; at £9,270 for medium firms and £22,700 for large firms.
Government is therefore urging organisations in all sectors do more to protect themselves against cyber crime, with 32% of businesses and 22% of charities reporting attacks and breaches.
Most common attack methods
The most common attack methods were phishing emails, followed by instances of others impersonating their organisation online, viruses or other malware including ransomware.
Digital minister Margot James said it is encouraging to see that since the introduction of new data protection laws in the UK, business and charity leaders are taking cyber security more seriously than ever before.
“However, with less than three in 10 of those companies having trained staff to deal with cyber threats, there’s still a long way to go to make sure that organisations are better protected.
“We know that tackling cyber threats is not always at the top of a business or charity’s list of things to do, but with the rising costs of attacks, it’s not something organisations can choose to ignore any longer.”
Through the CyberFirst programme, the government is working with industry and education to improve cyber security and get more young people interested in taking up a career in cyber.
The Cyber Discovery initiative has already encouraged 46,000 14 to 18 year olds to get on a path towards the cyber security profession. More than 1,800 students have attended free CyberFirst courses and nearly 12,000 girls have taken part in the CyberFirst Girls competition.
Full strategy to be published later this year
The government’s initial Cyber Skills Strategy, published in December 2018, will be followed by a full strategy later this year, the Department for Digital, Culture, Media and Sport (DCMS) said.
Business and charity leaders are being encouraged to download the free small business guide and free small charity guide to help make sure that they don’t fall victim to cyber attacks. These are available through the National Cyber Security Centre (NCSC).
Clare Gardiner, director of engagement at the NCSC, said: “We are committed to making the UK the safest place to live and do business online, and welcome the significant reduction in the number of businesses experiencing cyber breaches.
“However, the cyber security landscape remains complex and continues to evolve, and organisations need to continue to be vigilant. The NCSC has a range of products and services to assist businesses, charities and other organisations to protect themselves from cyber attacks, and to deal with attacks when they occur. These include the Board Toolkit providing advice to board-level leaders, and guides aimed at small businesses and small charities.”
The threat of cyber attacks remains very real and widespread in the UK, the government said. The figures published today also show that 48% of businesses and 39% of charities who were breached or attacked identified at least one breach or attack every month.
Cyber security is becoming more of a priority issue, especially for charities, the government said. Charities that treat cyber security as a high priority has gone up to 75% in 2019, compared with just 53% the year before, and is now at the same level as businesses.
Read more about data breaches
- ICO data raises doubts over UK firms’ ability to manage breaches.
- Data breaches in Australia show no sign of abating.
- Data breaches affected more than a billion people in 2018.
- UK consumers threaten data breach backlash.
The government said all businesses should consider adopting the Ten steps to cyber security, which provides a comprehensive approach to managing cyber risks. Implementation of the 10 steps is designed to help organisations reduce the likelihood and cost of a cyber attack or cyber related data breach.
Organisations can also raise their basic defences by enrolling on the Cyber Essentials initiative and following the regularly updated technical guidance on Cyber Security Information Sharing Partnership (CiSP) available on the NCSC website.
Commenting on the fact that 80% of businesses breached and 81% of charities blamed phishing emails, Hiwot Mendahun, cyber security analyst at email security firm Mimecast, said it is no surprise that email has once again proved as a top entry point for cyber criminals.
“One in every 61 emails in the last quarter contained malicious links, according to our recent Email Security Risk Assessment, and the number is only set to increase,” she said.
While cyber security is climbing up the ladder to becoming a top business priority, Mendahun said the government breach survey shows there is more to be done to “really move the needle” on protecting businesses and charities from potential disruptive breaches.
“Nearly all organisational information passes through email at some point, so a comprehensive cyber resilience strategy is a must to ensure protection from these threats,” she said.
Looking beyond technology
According to Mendahun, combating this problem requires organisations to look beyond technology and ensure a greater and ongoing focus on training.
“Cyber criminals know how to hone in on peoples’ weaknesses, so it is vital staff are educated on the telltale signs of fraud; and some simple checks, such as ensuring emails from seemingly trusted internal contacts actually have the company’s correct domain in the email address, and hovering over links to see the real destination before clicking, and not opening attachments in unsolicited mail,” she said.
“It takes as little as a single click to give attackers access, so all hands, eyes and technology must be focused and trained appropriately to avoid a potential breach.”
Mark Deem, a partner at law firm Cooley, said the introduction of mandated notification and increased penalties under GDPR are likely to further drive up the potential financial costs of all data incidents in the future.
“Whether as a result of an incident becoming notifiable as a breach or the additional investigative work that might be required to satisfy the business that notification is not required,” he said.
Although it is welcome to see that businesses are taking positive steps to improve their cyber resilience, Deem said it may still be too soon to determine whether recent legal and regulatory changes have driven the much-needed behavioural and cultural shift of businesses towards robust information security, or whether this is trend is likely to be shortlived.
“Genuine cyber resilience comes from corporate muscle memory, which is developed from incident response planning with legal, communications and IT security stakeholders, and which is sustained by testing and updating processes on a regular basis.”