UK cyber security progress stalled, says report

UK organisations are failing to make progress towards strong cyber security and are facing paralysis as cyber criminals become more advanced.

This is the conclusion drawn from the findings of the 2019 Risk:Value report by security firm NTT Security based on a poll of more than 2,200 non-IT decision-makers in 20 countries.

The data shows that UK respondents are aware of the risks posed by cyber threats, with more than half (54%) ranking cyber attacks as the top issue that could affect businesses in the next 12 months, followed by economic or financial crisis (56%). 

While global organisations rank loss of company data in third place, in the UK, 44% believe cyber attacks on critical infrastructure are a far greater threat, with telecoms ranked as the most vulnerable component of critical national infrastructure, followed by energy and electricity networks.

The majority (90%) of UK respondents believe that strong cyber security is important to their business, compared with 78% who say the same about growing revenue and profit, and 93% think cyber security has a big role to play in society.

According to the report, 58% of UK respondents said strong cyber security allows organisations to ensure the integrity of their data, 56% said it ensures only the right people have access to this data, and about half say it helps protect the brand.

However, an analysis of the responses for good and bad practice in cyber shows a lack of progress globally, with the average score in 2018 and 2019 being +3. This shows that there has been no progress in the past year, while on a scale of -41 to +27, almost one-third (32%) of businesses scored less than zero, which means they are exhibiting more bad practice than good.

This is due to several factors, the report said, including the fact that critical data is still not being fully secured in many organisations; that companies lack effective cyber security policies and incident response plans; and that knowledge of compliance issues is worryingly low and fear over non-compliance is leading many businesses to consider paying cyber criminals to try to avoid fines from regulators.

Other contributory factors include the fact that security budgets are not increasing to reflect the growing demands on security teams; that a skills shortage is hitting resource-strapped businesses hard; and that, amid confusion around responsibility, many senior managers think cyber security is just a problem for the IT department.

Businesses in India are the best-performing in the world for cyber security, the report showed, with an average score of +6, ahead of the US (+5) and the UK (+5), rounded to the nearest integer.

Although the UK improved by just one point from +4 in 2018, it has slipped to third position, with the introduction of India. However, the performance of organisations in France, Germany and Singapore has worsened in the past year, as has the performance of the financial services, telecoms, chemicals, pharmaceuticals, oil and gas, and private healthcare sectors, placing doubt on the robustness of critical national infrastructure, the report said.

In breaking down the detail of the reasons why organisations are failing to make progress, the report revealed that 33% of UK respondents said they would rather pay a ransom to a hacker than invest more in security because it would be cheaper – a rise of 12% over the previous year. Also, 34% said they would rather pay a ransom to a hacker than receive a fine for non-compliance with data regulations.

Security budgets in the UK are potentially failing to keep up with increasing cyber risk, the report said, with the percentage of IT budget attributed to security (15%) in line with the global average. The percentage of operations budget spent on security has fallen by about 1% in the past year to 16.5%.

Just 30% of respondents globally believe they are subject to the EU’s General Data Protection Regulation (GDPR), a year on from the compliance deadline, despite it affecting all organisations that have operations or customers in any European Union member state. Here the UK is above the global average at 48%, but behind Spain (55%) and Italy (50%).

Businesses are still failing to be proactive internally, the report said, with only 58% globally claiming to have a formal information security policy in place, just 1% up from 2018. Although 70% of UK respondents said their organisation has a policy in place, this is down from 77% in 2018, and only 47% said their employees are fully aware of such a policy.

The survey shows that while 60% of UK organisations have an incident response plan in place in the event of a security breach – which is above the global average of 52% and among the highest figures across all 20 countries – it still represents a 3% drop compared with 2018.

About half (44%) of UK respondents believe cyber security is the IT department’s problem and not the wider business, which is in line with the global average of 45%.  Swedish organisations are most likely to blame IT (60%), while Brazil is least likely to do so (28%).

The report revealed that the time spent on recovering from a cyber breach continues to rise year on year, with UK respondents estimating that it will take 93 days on average to recover. The UK figure is nearly double its estimated 47 days in 2018. The UK now ranks as having one of the highest figures globally, having been one of the lowest in 2018.

The cost of recovering from a breach is estimated to be $1.2m in the UK, matching the global average. Notably in the Nordics, costs are predicted to be much higher, with Norway at $1.8m and Sweden in first place with expected recovery costs of $3m for a business suffering a breach.

The estimated loss in revenue in percentage terms is up year on year in the UK to 12.9% from 9.7% in 2018, but in line with the global average of 12.7%.

Azeem Aleem, vice-president of consulting at NTT Security, described the report as an “interesting barometer” based on responses from those sitting outside the IT function.

“What is clear is that the world around them is changing, and changing fast, with the introduction of new regulations, integration of new technologies and fast-paced digital transformation projects changing the way we work,” he said.

“What is concerning, though, is that organisations seem to have come to a standstill in their journey to cyber security best practice – and it is particularly worrying to see UK businesses falling behind in some critical areas, such as incident response planning.

“Decision-makers clearly see security as an enabler – something that can help the business and society in general. But while awareness of cyber risks is high, organisations still lack the ability, or perhaps the will, to manage them effectively. The execution of cyber security strategies must improve or business risk will escalate for the organisations concerned.”