The government’s Cyber Security Breach Survey was released last week, outlining the current state of cyber security for businesses and charities in the UK. The headline figures show that 32% of businesses identified a cyber breach in the last 12 months, a drop from 43% last year - but those who are affected are suffering more breaches, with 48% identifying at least one breach or attack a month. The most common threat was phishing, totaling 80% of breaches for businesses.
The average annual cost for a business breach has increased to £4,180, and 32% of affected organisations implemented new measures to prevent further attacks. But this does not take into account the potential impact from reputational damage or loss of customer trust.
The role of the GDPR
Unsurprisingly, the impact of GDPR is a key theme throughout the survey and it has generally had a positive impact since its introduction in May last year. The regulation prompted 30% of business respondents to make changes to their cyber security arrangements - of those, 60% created new policies, 11% changed firewall or systems configurations, and 15% provided additional training for staff.
But there is still a way to go. Just 58% of businesses are aware they can be fined for breaches in personal data, and only 46% know they must report certain data breaches to the ICO within 72 hours. Additionally, many organisations appear to view data protection as being the same as cyber security, in some cases using the terminology interchangeably. Firms should take a more holistic approach to cyber security, which includes data protection and the GDPR.
What about third parties?
Third party risk is a big problem in cyber security, including the Ticketmaster hack, the preventable WannaCry attack on the NHS and the recent data breach from Facebook. Despite this, businesses are not taking third party risk seriously enough, with just 18% of businesses requiring their suppliers to meet prescribed security standards. Some respondents had not considered this to be an issue, while others said they wouldn’t know what questions to ask their suppliers. To put this into context, 60% of businesses said they were using cloud computing solutions - so this is an area of risk that businesses should pay particular attention to.
Improved governance is needed
Training is also a key area for improvement, with just 27% of businesses offering it to staff over the last 12 months (up from 20%). Of those receiving training, 81% were senior management and just 29% were broader staff across the organisation (ie not IT or security focused). This is of particular importance as regular training is the key tool to mitigate risks around phishing – the most successful attack method found in the study.
More businesses give quarterly updates to senior management than in previous years, and 78% said cyber security is a high priority for senior management. But only 35% of businesses have a board member responsible for cyber security, and those in charge of implementing security measures wanted greater support to embed awareness, from the top down. This should take the form of a broader, holistic approach - taking into account the unique risk profile and challenges facing each organisation.