2019 UK Cyber Security Breaches Survey
Alan Simpson CA highlights some of the key findings from the latest cyber security breaches survey.
Cyber security attacks can seriously damage the operations and reputation of any organisation. Statistics on the most common type of cyber security breaches in the UK are now gathered annually (since the initial survey in 2016) for the Department for Digital, Culture, Media and Sport (DCMS) which commissions the Cyber Security Breaches Survey of UK businesses and charities as part of the National Cyber Security Programme. The survey is classed as an Official Statistic and is produced to the standards required in the Code of Practice for Official Statistics. The purpose of this statistic is to measure how UK businesses and charities deal with the need for cyber security and the effect of breaches of their security.
This latest survey was undertaken for DCMS by Ipsos MORI together with the Institute for Criminal Justice Studies at the University of Portsmouth and was published in April 2019. It surveys sample data collected in late 2018/early 2019.
The sample used in the survey
A random probability telephone survey was undertaken between 10 October and 20 December 2018 of 1,566 UK businesses and 514 UK registered charities. Additionally, a further 52 detailed interviews were carried out in January and February 2019 to gain further details from organisations that participated in the earlier 2018 survey above. Public sector bodies (which clearly represent a large part of the UK economy) and sole traders were excluded. The survey publishes its findings in four categories:
- UK businesses and charities overall
- Medium and large businesses
- Micro and small business findings
- Charities (ranked by the categories of low income, middle income and high income).
Occurrence of cyber security breaches
It is encouraging to see there has been an improvement with a small decrease in breaches occurring in 2019 compared with that in 2018.
- Overall, 32% of businesses and 22% of charities reported having suffered such breaches during the previous 12 months. (The comparative figures for 2018 were 43% for business and 19% for charities.)
- For large businesses (defined as those with ≥250 employees), in 2019 this was 61% (in 2018 it was 72%).
- In the largest charities (defined as those with an annual income of £5 million or more) it was 65% (in 2018 it was 73%).
- In the 2019 survey, 78% (2018: 74%) of businesses and 75% (2018: 53%) of charities stated that cyber security was a high priority for their senior management. However, staff have had cyber security training in only 27% of businesses and 29% of charities.
- Both businesses and charities have made increased efforts to improve their cyber security as a result of GDPR (General Data Protection Regulation) being enacted with 30% of businesses and 36% of charities having made such changes in 2019.
Out of the 32% of businesses experiencing such attacks or breaches in 2019:
- 32% required new measures to repel possible future attacks
- 27% took up staff time dealing with attacks
- 19% had staff unable to carry out their daily work
- 48% identified at least one breach or attack per month.
Out of the 22% of charities having cyber attacks or breaches in 2019:
- 29% required new measures to repel possible future attacks
- 32% took up staff time dealing with attacks
- 21% had staff unable to carry out their daily work
- 39% identified at least one breach or attack per month.
What is the average annual cost of cyber breaches or attacks?
The direct costs of a cyber security breach may include the loss of data and/or assets, repair and recovery costs and loss of revenue if customers are unable to access online services. In addition, there can also be indirect costs such as lost productivity of employees and reputational damage to the organisation. The survey gives some information on the cost of breaches by size of the organisation surveyed as follows:
- The average cost to businesses overall in 2019 was £4,180. This was higher than both 2018 (£3,160) and 2017 (£2,450).
- For micro/small businesses in 2019 it was £3,650.
- For medium-sized businesses in 2019 it was £9,270.
- For large businesses it was £22,700 in 2019.
- For all categories of charity in 2019 it was £9,470.
Most common types of cyber attacks
The businesses and charities surveyed experienced these types of attacks.
- “Phishing” – that is attempts to obtain sensitive or commercially confidential information by an impostor masquerading as a legitimate and trustworthy party through the action of sending an email or other electronic communication to the intended victim. This was experienced by 80% of the businesses surveyed and 81% of the charities.
- Impersonating an organisation in emails or online (e.g. purporting to be HMRC or an entity’s bankers by using a spoof website and website address). This was experienced by 28% of the businesses and 20% of the charities.
- Viruses, spyware or malware. This affected 27% of the businesses and 18% of the charities.
These findings are similar to those reported in the 2018 survey.
Survey conclusions
- Cyber security is now seen by management in both business and charities as a higher priority than previously.
- Many more organisations are taking steps to identify the risks they face from cyber crime and are then developing defences against it.
- More businesses now have board members charged with specific responsibility for cyber security.
- The introduction of GDPR has tended to hasten the rate of change towards improving cyber security.
- However, worryingly, relatively few organisations have assessed the risk of cyber attacks in their supply chain.
Lugo are holding free Cyber Resilience Workshops for Accountants.
Find out more on their website.
Do you have any comments or would you like to further discuss the issues raised in this article? Please join us on CA Connect - an area exclusive for our members. Here you can share your thoughts on this article and engage in discussions with fellow members.