weerapat1003 - stock.adobe.com

Apparent drop in cyber incidents highlights underlying problems

UK organisations report fewer cyber security incidents, but the headline data masks more serious issues, according to a report

About four in every 10 UK businesses have been subject to a cyber security incident of some nature in the past 12 months, but this rate has declined by over 6% since this time last year, possibly reflecting a reduction in economic activity during the Covid-19 pandemic inadvertently rendering some businesses less notable targets.

That is according to new statistics released by the Department for Digital, Culture, Media and Sport (DCMS) in its latest Cyber security breaches survey. This is the sixth year running that DCMS has compiled this study, which, despite the dip, continues to show that overall, security incidents remain a serious threat to all types of organisations.

Overall, 39% of businesses and 26% of charity organisations reported a breach or attack in the past 12 months, higher among large enterprises and medium-sized firms.

However, the rest of the study data shows that the risk level to organisations is in fact higher than ever since the pandemic began, with notable and concerning declines in the number of organisations using security monitoring tools – down 5% to 35% – or undertaking user monitoring.

DCMS said it was possible that this meant that rather than being attacked less, businesses were simply less aware of the attacks their users were facing – a hypothesis that may appear to be borne out elsewhere in the data. Among those that did identify incidents, 27% of businesses and 23% of charities said they were hit at least once a week, mostly by phishing attacks. This suggests significant under-reporting.

In a more positive trend, of those that did identify incidents, only one in five – 21% of businesses and 18% of charities – said they had ended up losing money, data or other assets. The costs of incidents now appear to be more reflected in post-incident remediation – installing new security services, wasting staff time, dealing with angry customers, and so on. The average (mean) cost of a breach clocked in at £8,460, rising to £13,400 for medium-sized and large firms.

DCMS found the overall proportions of organisations experiencing negative outcomes or impacts from a security incident was significantly lower than in the preceding years, probably a result of increasing security measures to ensure compliance with the General Data Protection Regulation (GDPR), and rising use of cloud storage and backups.

Turning to Covid-19 more specifically, the DCMS report said that, unsurprisingly, the pandemic had stretched many security teams to their limit, but it was not necessarily causing security to become a higher priority for boards and buyers.

Indeed, 84% of businesses and 80% of charities said the pandemic had made no difference to the importance their wider leadership places on security – although the qualitative data does show there was a rush of spending on new security systems during the pandemic, mostly related to shoring up remote working practices – multifactor authentication, virtual private networks, and so on.

This spend was, on the whole, more likely to be characterised as about continuity of business rather than cyber security, however, and many respondents to the study said that in some cases they felt management and users did not really get the role that security teams play in ensuring business continuity. Others complained that in the immediacy of the pandemic, security measures tended to be viewed as in conflict with business continuity.

The research also highlighted the UK’s security ambitions for the future, and the challenges that security teams expect to face. With Covid-19 set to remain a driving force for some time, high on the agenda is the roll-out of more technologies and policy tweaks that support remote working.

Many organisations said they anticipated moving away from strict “lockdown” approaches to security towards reprioritising functionality and flexibility. This suggests that in the coming months, security teams will need to align themselves better to wider business goals.

Read more on Data breach incident management and recovery

Data Center
Data Management