Even though 43% of businesses and 19% of charities have experienced cyber security breaches in the past 12 months and that GDPR is only a month away, 26% of businesses and 47% of charities still do not consider cyber security as a high priority, the government's new Cyber Security Breaches Survey has revealed.
The new survey, carried out on 1,519 UK businesses and 569 UK registered charities, is especially significant as it provides an honest summary about the cyber preparedness of the UK's businesses and charities ahead of the roll-out of GDPR, a landmark legislation that will impose a heavy cost on organisations that fail to secure enterprise or customer data due to poor cyber security credentials.
The survey revealed that while it is no surprise that 98% businesses and 93% charities have digital assets using which they communicate with their customers or accept payments, such businesses and charities are also highly vulnerable to cyber attacks and infiltrations. In the past 12 months, 43% businesses and 19% charities have experienced cyber security breaches or attacks
Businesses and charities with an income of £500,000 or more, those who hold customer data, and those who have Bring Your Own Device (BYOD) policies were found to be more likely to experience cyber attacks. The survey revealed that organisations with more potential risk factors are always more likely to face such attacks.
Such attacks have also impacted businesses and charities either financially or otherwise. Over 53% businesses and 59% charities either had to invest more to add new measures against future attacks, devote more staff time to deal with breaches, or had to stop staff from carrying out day-to-day work because of breaches.
Businesses and charities also suffered financial losses to the tune of £3,100 and £1,030 on average respectively, with medium (£16,100) and large businesses (£22,300) suffering much higher losses compared to small ones.
Lack of focus on cyber security
Even though businesses and charities may claim to their customers or contributors that they are serious about cyber security and data protection, the survey revealed several hard facts which clearly showed how serious they really were.
Even though GDPR is only a month away, 26% of businesses and 47% charities still do not consider cyber security as a high priority, just three in ten businesses and a quarter of charities have board members or trustees with responsibility for cyber security, one in five businesses and two in five charities never update their senior managers on cyber security issues, and only a fifth of businesses (20%) and a lower proportion of charities (15%) have had any staff attend internal or external cyber security training in the last 12 months.
In order to help businesses and charities strengthen their cyber security defences, the government had, in 2016, introduced five basic technical controls as part of the Cyber Essentials Scheme. These controls were applying software updates when available, keeping malware protection up to date, installing firewalls with appropriate configurations, restricting IT admin and access rights to specific users, and placing security controls on company-owned devices.
In order to incentivise the adoption of the scheme, the government said that businesses not completing the programme would not be eligible to compete for government contracts. Despite the government's efforts, only half of all businesses and just 29% of all charities have implemented all of the five basic technical controls.
What's more, only 56% businesses and 55% charities that hold customer data have rules and controls around encryption, only 27% businesses and 21% charities have cyber security policies in place, and only 13% businesses and 8% charities have a cyber security incident management process in place.
"It is vital that businesses and government alike constantly innovate and collaborate to make it increasingly difficult for cybercriminal's to impact on our lives," said Mark Weir, Director of Cybersecurity at Cisco UK & Ireland. "Emerging technologies like Artificial Intelligence, Machine Learning and automation are no longer a luxury, but a necessity in ensuring we don’t just keep up with, but stay one step ahead of the bad guys."
"With only one month left before GDPR comes into force, today’s Cyber Security Breaches Survey is another timely reminder to ensure UK businesses are prepared for the worst. We’ve seen the damage that can be caused by the likes of WannaCry, and internal data protection and data management failures within corporates, but the stakes are about to become much higher, thanks to the regulatory penalties coming into force in a month with GDPR and the Data Protection Bill for the UK," said Mark Adams, Regional Vice President, UK & Ireland at Veeam.
“Reading that over half of the businesses surveyed and six in ten of the charities interview were impacted by breaches or attacks came as no surprise. Especially when you consider that less than half of these companies had the right contingency plans in place to deal with highly disruptive breaches. This is no easy nut to crack. Covering all bases is the demand, but breaking it down into departmental accountability is a way of overcoming some of the pain.
“Hearing that just five in ten businesses (and three in ten charities) implemented the five basic technical controls under Cyber Essentials is completely unacceptable. Worse still, these steps, whilst highly useful to follow, do not cover the issue of data availability.
“Restricted access, firewall configurations, the latest malware updates… it’s all incredibly important, but at some point your business will be breached. It’s inevitable. When it happens, you need to ensure you can remediate quickly to reduce the impact of the attack, and allow your business to remain ‘always on'," he added.