Report: UK Security Has Much Room to Improve

The UK government has an initiative called the National Cyber Security Programme. Their 2016 to 2021 plan aims to improve cybersecurity throughout the country’s public and private sectors.

As part of the initiative, the UK Department of Culture Media & Sport partnered with Ipsos MORI and the University of Portsmouth to conduct a survey to determine how prepared British businesses are for cyberattacks.

Between October and December 2017, a telephone survey was conducted of 1,519 British businesses and 569 British charities. A follow up was conducted in January and February 2018 by interviewing 50 of the participants to acquire further qualitative insights.

The Cyber Security Breaches Survey 2018 (PDF) was published on April 25, 2018. The findings have been deemed an Official Statistic by the UK government.

The Findings

Here are the findings which really caught my attention:

"Are for-profit businesses more prone to cyberattack than not-for-profit charities? Or are businesses just better able to identify cyberattacks? 43% of businesses and 19% of charities reported cybersecurity breaches and attacks in the past twelve months.

Breaking down businesses by size, 42% of small businesses reported attacks and breaches, whereas 65% of medium and large businesses reported attacks and breaches. Are larger businesses greater attack targets, or do they just identify attacks more effectively? Perhaps it’s a bit of both."

Of the businesses and charities which reported cybersecurity breaches and attacks, an average of 23.5% said that they temporarily lost files, an average of 14.5% said software or systems were corrupted, an average of 12% had their website taken down or its performance slowed down, an average of 5.5% had assets, intellectual property, or money stolen, and an average of 4.5% lost files or personal data permanently.

So, attacks to the integrity and availability components of the CIA triad of cybersecurity were particularly common. When intellectual property is stolen, that covers the Confidentiality component as well.

Breaches can be quite costly. Breaches to medium sized businesses cost a mean average of £8,180 each, and breaches to large businesses cost a mean average of £9,260. That’s about $11,000 and $13,000 US dollars respectively.

Medium sized businesses reported a mean average of six breaches in the past twelve months, and large businesses reported a mean average of twelve. Once again, I wonder if larger businesses are larger targets, if larger businesses are better able to detect breaches, or if the truth is some combination of the two factors.

These are self-reported survey findings, by the way. 44% of medium sized businesses which reported breaches, and 47% of large businesses which reported breaches said they needed new measures to protect against future breaches.

36% of medium-sized businesses with breaches and 40% of large businesses with breaches said that their incident response required additional staff time. For waged employees, that could be additional labor costs. Even salaried employees may incur over time, or it’s time they could have spent working on something else.

Risk Management Measures

So, what are the surveyed businesses doing in response to growing and expensive cybersecurity threats?

Only 73% of small businesses and 94% of medium and large businesses say they have cybersecurity governance or risk management measures in place. Ideally, 100% of businesses of all sizes should have at least that. Of the 25% of small businesses who lack any formal cybersecurity measures or governance, 31% say that cybersecurity isn’t a priority to them.

I was really surprised to learn that 20% of small businesses without formal cybersecurity measures said security wasn’t a priority in the 2017 survey. That number grew! Perhaps more small businesses that lacked cybersecurity measures in 2016 or 2017 have them now, but there’s a stubborn group of small businesses which won’t prioritize cybersecurity until they’re hit by a cyber-attack that devastates them. That really worries me.

55% of small businesses have conducted some sort of operations to find vulnerabilities, such as risk assessments, audits, or health checks. But only 12% of small businesses have any sort of formal incident management process in place. Again, I think ideally both figures ought to be 100%.

The survey categorized charities according to their income. Small charities had less than £100,000, medium sized charities had £100,000 to under £500,000, and large charities had £500,000 or more.

13% of small charities reported breaches or attacks in the past twelve months, 34% of medium sized charities reported breaches or attacks, and 62% of large charities reported breaches or attacks. As with businesses, are larger organizations greater targets, are they better able to detect breaches and attacks, or is it a bit of both?

95% of large charities reported having security governance or risk management measures in place, 87% of medium sized charities said the same, but only 57% of small charities said they have them. I’d like to see 100% of charities of all sizes reporting the establishment of cybersecurity measures.

Conclusions

So, what did the researchers learn from this year’s survey? From the Cyber Security Breaches Survey 2018 report:

“Cyber security is a high priority for most businesses and charities. Among businesses, there are also indications that senior managers are more regularly engaged with the topic than in the 2017 survey. At the same time, there is still a lot that organizations can do better.

Just five in ten businesses (51%) and three in ten charities (29%) have implemented all of the five basic technical controls under Cyber Essentials, comprising: boundary firewalls and internet gateways, secure configurations, user access controls, malware protection, and patch management (applying software updates).”

Businesses and charities need to consider their organizational cultures. Some organizations continue to see themselves as offline, or too small to be at risk (although this line of thought has declined since the 2017 survey). This is despite having potential risk factors such as their use of personal devices for work purposes. The qualitative survey suggests that organizations take more action on cyber security when they see it as complementing their organizational priorities, rather than competing with them. They take less action when they think it will be a burden to implement cyber security controls, or when they have a fatalistic attitude towards cyber security…