Feature

Cyber Security – The Scale of the Problem

April this year saw the publications of HM Government’s extensive report in to Cyber Security that quantifies the problem and seeks to provide guidance to business on understanding the nature and significance of the cyber security threats they face, and what others are doing to stay secure.

In the space of a single generation the vast majority of people and organisations have become dependent upon on digital communications or services such as email, websites, online banking and shopping online all of which exposes them to cyber security risks.

Organisations of all sizes, and a substantive majority of large businesses in particular, have been breached or attacked. Those with more potential risk factors are also among the most likely to experience cyber security breaches or attacks.

Over four in ten businesses (43%) have experienced cyber security breaches or attacks in the last 12 months. This rises to seven in ten (72%) among large businesses, and a similar proportion (73%) among the largest charities with incomes of £5 million or more.

Breaches were more often identified among the organisations that hold personal data, where staff use personal devices for work (BYOD) or that use cloud computing.

  • The majority of businesses (56%) hold personal data on customers electronically. Among these, 47 per cent of businesses have experienced breaches or attacks.
  • Just under half (45%) of businesses have an element of BYOD. The businesses where this occurs are more likely to have had breaches or attacks (49%).

Impacts

Breaches impact on organisations in various ways and where breaches have resulted in lost assets or data, the financial consequences have been especially significant.

According to the Department for Digital, Culture, Media and Sport report, of all the organisations that experienced breaches or attacks, over half (53%) of the businesses report being impacted by these. These impacts most commonly included needing new measures against future attacks (36%), extra staff time required to deal with the breach (32%), and staff being stopped from carrying out day-to-day work (27%).

Typically, organisations incur no specific financial cost from cyber security breaches which is reflective of the fact that most breaches or attacks do not have any material outcome (a loss of assets or data), so do not always need a response. However, where breaches do result in such a material outcome, the costs can be significant.

The average cost of breaches with such outcomes is £3,100 This is much higher for medium businesses (£16,100) and large businesses (£22,300).

Moreover, the estimated total cost of breaches has consistently increased for medium businesses specifically, even when including breaches that do not result in lost assets or data (from £1,860 in the 2016 survey and £3,070 in the 2017 survey, to £8,180 in 2018).

BOX OUT STARTS

Meanwhile in the Real World…

A recent 2018 study by security firm Centrify, suggests that 63% of UK C-suite executives are more concerned about paying for the costs of a cybersecurity breach - investigation, remediation and legal costs, than losing customers or loss of company reputation.

The study also indicates that there is confusion among the C-suite about what constitutes a cybersecurity risk and what needs to be done to prevent it.

In the UK, malware is seen as the biggest threat to an organisation’s success among 44 per cent of respondents, compared to just 24 per cent who point to default/weak or stolen passwords and 29 per cent who blame privileged user identity attacks.

Barry Scott, CTO EMEA at Centrify, explains: “It’s no surprise that the C-suite often points to malware as the biggest threat. Sensational headlines about major attacks could be to blame, which companies see and react to, often mistakenly, when in fact identity-related attacks – such as stolen or weak passwords, and attacks on privileged users within organisations – are the primary threat to cybersecurity today.

“What’s worrying is that they then look to invest money in protecting against malware, when in fact they should be focusing on the increase in identity-related attacks.

BOX OUT ENDS

Senior managers in most businesses prioritise cyber security, but this is still not always matched by action or engagement from senior management teams.

Three-quarters of businesses (74%) say that cyber security is a high priority for their organisation’s senior management. The proportion of businesses saying cyber security is a low priority has fallen since 2016 (from 30%, to 24% in this survey), indicating that it is now on the agenda for more businesses. More specifically, more small businesses now say it is a very high priority than in the 2017 survey (up from 33% to 42%).

The qualitative survey offers various insights into what makes cyber security a priority, linking it to an organisational culture, and engagement from senior managers:

  • Staff in organisations that used personal data were typically more aware of the impact that breaches could have on brands and reputation.
  • Where senior managers were seen to be interested in cyber security, those responsible tended to feel more empowered to take action.
  • Those that took more action on cyber security tended to see it as complementing rather than competing with their existing strategic priorities, for example by keeping key services running, protecting the finances or protecting reputations.

Despite many organisations stating that cyber security is a high priority, just three in ten businesses have board members with responsibility for cyber security. One in five businesses (20%) also never update their senior managers on cyber security issues.

Opportunities

Clearly the channel has several opportunities here to engage with and help their customer as patently there is more that organisations might do around training and awareness raising, documenting risks and adopting good-practice technical controls to better protect themselves.

INSERT GRAPHIC with caption HERE

Basic technical controls might also be improved, particularly among smaller businesses and charities. The survey findings show that just half of all businesses (51%) have implemented all of the five basic technical controls listed under the Government- endorsed Cyber Essentials scheme, which includes:

  • Applying software updates when available.
  • Up-to-date malware protection.
  • Firewalls with appropriate configurations.
  • Restricting IT admin and access rights to specific users.
  • Security controls on company-owned devices.

The Government Cyber Security report indicates that rules around BYOD appear challenging for organisations to enforce. While two- thirds (66%) of businesses have a rule restricting access to company-owned devices, it is noteworthy that four in ten (40%) of these businesses still say they have staff who use personal devices for regular business activities.

Comment:

Mark Weir, Director of Cybersecurity Cisco UK & Ireland, says the Government Cyber Security Breaches Survey further highlights that the magnitude of cyber-threats we are now witnessing cannot be tackled by organisations on their own.

“The report states that 98% of UK businesses rely on some form of digital communication or services and at present, we are still playing the game of the hackers.

It is vital that businesses and government alike constantly innovate and collaborate to make it increasingly difficult for cybercriminals to impact on our lives. Emerging technologies like Artificial Intelligence, Machine Learning and automation are no longer a luxury, but a necessity in ensuring we don’t just keep up with but stay one step ahead of the bad guys.”

Ed Says…

Rolling the dice on a cyber security creates an enormous financial risk for any business. But the stakes are much higher than that. Doing so is also, in effect, gambling on the livelihoods of all of your employees and the data security of your customers.

Ask a customer: If one of your employees opens a phishing email tomorrow, what technology, people or processes do you have in place to prevent that hacker from burrowing into your company’s business? And if they do find a way in, what’s the plan for the next 24 hours and beyond? If the user can’t answer both of those questions in detail, they are sleeping while the house is on fire. So help them answer the question.