The UK Government’s Cyber Breaches Survey 2018 has just been released and things aren’t getting any better.
This year’s DCMS cyber breaches survey highlights the continued pressure that UK businesses are under from cyber-attacks as well as what they are – or are not – doing to defend themselves. The report, based on a survey of over 2000 UK businesses and charities, makes for troubling reading.
As you would expect, many businesses report that they are being threatened by cyber criminals. Over 70% of large business report they had experienced some form of breach over the last 12 months. While the number for smaller businesses is lower (only 47% of small firms reported a breach) this may simply be due to breaches remaining undetected by organisations with little cyber security resource.
Also of interest: Data breaches at an all-time high
Cyber security breaches: same old same old!
There is nothing new in this. The cyber criminals are still very much with us, using the same old techniques. Phishing and ransomware endure as significant threats. Laurance Dine, Managing Principal, Investigative Response at Verizon points out that “Around three-quarters of all breaches were linked to staff receiving fraudulent emails.”
This year, Verizon’s Data Breach Investigations Report (DBIR) found that whilst 78% of people don’t click on a single dodgy email all year, on average 4% of the targets in any given phishing campaign will do so. And of course it only takes one!
Little effort to combat cyber threats
The large number of breaches may well be a result on low levels of investment in defences. Indeed a third of small businesses claim they spend nothing on cyber security.
Low investment in defensive technology is matched by low efforts to build robust internal processes. Almost three quarters of businesses (73%) say they don’t have a formal cyber security policy.
And employee training is neglected too. In only a fifth (20%) of businesses had staff attended any form of cyber security training over the last 12 months, with non-specialist staff being particularly unlikely to have attended.
Piers Wilson at Huntsman Security: puts it like this: “Just as we don’t let people drive without getting their licence, every untrained employee could pose a threat. And it’s not just about droning on about policies and processes, it’s about helping staff see why those are necessary and the consequences of ignoring them.”
Too many people, he adds, see security as something that blocks them from doing their job rather than keeping the business safe. Security education needs to address the “why” as well as the “what” of safe behaviour.
Also of interest: High numbers of attacks, low levels of investment
A lack of practical knowledge
At the senior level, awareness of cyber security risks seems to be reasonably high, according the DCMS report. In 90% of medium and large businesses cyber security was rated as a fairly high or very high priority by senior management.
However this claim to be aware doesn’t seem to be matched with practical knowledge. One of the most surprising findings is the very low levels of awareness of Government initiatives such as 10 Steps and Cyber Essentials. Only 37% of large firms claimed they knew about Cyber Essentials; for small firms the figure is a tiny 9%. The very pragmatic 10 Steps fares little better with just 34% of large firms and 15% of small firms admitting any awareness.
This lack of practical knowledge seems to be matched by a level of complacency. The spokesperson for a mid-sized charity is reported in the DCMS document as saying “Why are [hackers] going to go for us when there are much harder things they can tackle and win? They're going to go in to Government bodies, and they could get much more profit and kudos out of that.”
That is a very dangerous assumption.
Overall this is a pretty depressing report. UK plc needs to accept that cyber breaches are a very real threat to our security: we need to invest in appropriate defences including robust ways of working and appropriate levels of training. But with knowledge of some excellent government cyber security initiatives so low, perhaps there is more that can be done at a national level to raise awareness and incentivise real actions.