UK Government issues report on cybersecurity breaches
As part of Cyber Resilience Week, Alan Simpson analyses the results of the UK Government’s cyber security breaches survey.
Virtually all organisations are now heavily reliant on online services, for example for email, online banking, websites, e-commerce. This exposes them to cyber security risks which could then result in potential major financial and reputational damage.
The necessity for vigilance and effective cyber security should be clear, especially after recent widely publicised breaches such as those reported at British Airways and Edinburgh University.
In addition, the new Data Protection Act 2018, incorporating the General Data Protection Regulations, requires an organisation which has suffered breaches of personal data to promptly report all such occurrences to the Office of the Information Commissioner. The organisation can then be subject to potentially draconian financial penalties (up to 20 million euros or 4% of global turnover, whichever is the higher) from the Commissioner.
Small and medium-sized charities and businesses in Scotland can help improve their cyber resilience by achieving a Cyber Essentials accreditation. A small cyber grants scheme is being run to support charities through this process.
In the UK, official statistics on the most common type of cybersecurity breaches are now published annually by the Department for Digital, Culture, Media and Sport (DCMS) in a report called the Cyber Security Breaches Survey. The latest survey was published on 25 April 2018 and surveys sample data collected in late 2017/early 2018.
About the survey
A random telephone survey was undertaken between October and December 2017 of 1,519 UK businesses and, for the first time in 2018, 569 UK registered charities. Additionally, 50 detailed interviews were undertaken in early 2018 to follow up with organisations that took part in the survey.
- Overall, 43% of businesses and 19% of charities reported having suffered cyber security breaches during the previous 12 months (see Fig 1). Among large businesses (defined as those with ≥250 employees), this rose to 72%. For large charities (defined as those with incomes ≥ £5 million) it was 73%.
Fig 1: Organisations reporting cyber breaches in 2017/18
- Out of those organisations that had suffered cyber security breaches or attacks, more than half of businesses and charities surveyed reported being impacted by them. This included the extra staff time needed to deal with any disruption arising from the breach and, as a result, then being unable to carry out their normal duties; and later the need to devote resources to bolster the defences against possible future cyber-attacks.
- The majority of businesses and charities stated that cyber security was a high priority for their organisation’s senior management, however, less than one third had board members or trustees with responsibility for cyber security, with an even smaller number implementing a formal cyber security policy.
- Breaches were more likely to occur in organisations holding personal data on their systems of either customers, donors or beneficiaries.
- Overall, 45% of businesses and 65% of charities surveyed have BYOD (i.e. bring your own device) where staff use their own private devices such as laptops for work purposes. The survey showed that businesses, where this takes place, are more likely to have had cyber security breaches or attacks.
- The number of organisations having formal rules and procedures regarding the encryption of data is relatively small.
- Particularly among smaller businesses (those with 1 to 49 employees) and charities, cyber security could be improved. The survey revealed that only 51% of businesses and, (worryingly), only 29% of charities have installed the full five basic technical controls which are:
- Promptly applying software updates when released;
- The latest malware protection;
- Firewalls with appropriate configurations;
- Restricting IT administrator and access rights to specific users;
- Security controls on company-owned devices (tablets, laptops, scanners, mobile phones).
Most common types of cyber attacks
The businesses and the charities surveyed experienced similar types of breach which were:
- Bogus and fraudulent emails or else being lured on to a sham website which appears to be legitimate but is aimed at duping staff.
- Impersonating an organisation in emails or online.
- Viruses, spyware or malware.
See Fig 2 below
Fig 2: Top three types of cyber-attack
What was the response to these attacks?
- Approximately half of the businesses and charities experiencing security breaches had existing contingency plans; most of these organisations reported that their plans had proven to be effective.
- Overall, only 13% of businesses have a formal cyber security incident management reporting process in existence. This score rose to 46% within large firms.
- Few charities (8%) have formal cyber security incident management reporting process in existence.
Basic steps to minimise risk of future breaches
Out of those who had experienced breaches, 70% of the businesses and 63% of the charities have now taken preventive actions and the most common of these were:
- Updating firewalls;
- Updating the level of anti-virus and anti-malware software protection;
- Extra staff training, and campaigns focused on raising their vigilance.
- Cyber security is seen as being of high importance for most organisations, but much work is still required by many of them to strengthen their defences against attack.
- Increased support from senior management can significantly empower those staff with responsibility for cyber security.
- Raising awareness of cyber security throughout the organisation is important but the coverage of staff training is low. Only 20% of businesses and 15% of charities have had staff take part in any form of cyber security training during the past year.
- Advice on cyber security requires a balance between the level of knowledge of the audience and the type and size of organisation it is addressed to.
- Charities are faced with similar cybersecurity risks as a result of online donations or people accessing their services online, yet typically still lag behind other businesses in taking preventative steps.