The latest Cyber Security survey from the Government’s Department for Digital, Culture, Media & Sport, released April 3rd, reports a greater understanding among organisations that cyber attacks cannot be prevented by common sense alone. But while the findings suggest that embedding knowledge and understanding of cyber security within management boards is a strong driver of behavioural change, over 40% of larger businesses still don’t have a board member with a cyber security brief. Yet.
The Cyber Security Breaches Survey is a quantitative and qualitative survey of UK businesses and charities, published annually since 2016. This version of the quantitative survey was undertaken in winter 2018, and the qualitative element in early 2019.
The survey – the first since GDPR was introduced – suggests that the enforcement of the data protection legislation from May 2018 encouraged and compelled many organisations to either engage formally with the topic, or in some cases, to strengthen their existing policies and processes. This has helped to raise greater awareness of cyber security issues.
A Big ‘But…’
The report suggests that the advent of GDPR is a mixed blessing, as the findings show that, while GDPR has played an important role in raising awareness, it may have unintentionally made organisations think of cyber security almost exclusively in terms of data protection. Meanwhile, advances in the number of staff attending training on cyber security may well be more due to the uptake of GDPR training, in which the actual cyber security content may only play a relatively small part.
Fewer Incidents, Harder Impact
Very few organisations (16% of businesses and 11% of charities) have formal cyber security incident management procedures in place. This continues to be the area in the Government’s ‘10 Steps to Cyber Security’ guidance where organisations are least likely to have taken action.
Overall, the data suggests that fewer businesses are identifying breaches or attacks, but the attacks that penetrate organisations’ defences and cause the most disruption, are also having more severe financial impacts than ever before.
Few Businesses with Written Cyber Policies
The report noted there was room for a more holistic approach to cyber security. While there has been progress since 2018 across organisations, only a minority of micro and small businesses have:
- written cyber security policies or a formal incident management process;
- arranged any form of cyber security training;
- engage senior staff with a specific responsibility for cyber security as part of their job role.
Yet their users remain the most at threat (and the most susceptible) to phishing attacks, identified by 80% of these micro-SMEs and 81% of all charities as the most common threat.
Only 27% Training Staff
There is still a large difference between the relatively low proportions sending staff on training (27% of businesses and 29% of charities) and the much higher proportions that feel they have no such skills-gap. This reflects other recent DCMS research on cyber security skills, which showed that many organisations lack an understanding of the technical requirements of a cyber security role.
Focus In-House to the detriment of Supply-Chains
Less than one in five businesses (18%) and one in seven charities (14%) require their suppliers to adhere to any cyber security standards. In the qualitative interviews, some had simply not considered suppliers as a potential source of cyber risk before, while others simply did not consider their suppliers’ cyber security to be their responsibility
Across all organisation sizes, only a minority of organisations demand even minimum cyber security standards from suppliers. Organisations reported this was an area where they would benefit from more guidance or checklists.
Finally, while more organisations have started to consider cyber security as a high priority over the years since the survey began three years ago, there has not been an equivalent increase in the number seeking out information and guidance, with many businesses suggesting they are reactive and ‘wait to be told’ or ‘expect to be informed’ by Government. In this dynamic and ever-evolving threat environment where incidents are affecting organisations of all types and sizes, assuming it won’t happen or waiting for disaster to strike before developing and validating your cyber security strategy is simply no longer an option.
If you can’t justify a full-time board-level cyber security professional but need strategic guidance and support, you do still have options: read our whitepaper to explore how to gain access to a Chief Information Security Officer without the fixed resource and recruitment challenges.
Read the full government report here – https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2019
Learn more about Littlefish’s Cyber Security Services here.
About Katy Hinchcliffe
Littlefish Head of Cyber Security Katy Hinchcliffe, is a highly regarded cyber security leader. With over a decade’s experience delivering a broad range of cyber security services to enterprise clients for global IT outsourcer Capgemini, notably managing the prevent, detect and respond functions on behalf of Rolls-Royce, Katy is now responsible for developing Littlefish’s Cyber Security practice.
Your People: Security Weakness or Effective Threat Warning System?