This year’s DCMS cyber breaches survey has just been released. It highlights the continued pressure that businesses are under from cyber-attacks as well as what they are – or are not – doing to defend themselves against threats.
Key findings include:
- Training has not increased, with only a fifth (20%) of businesses having had staff attend any form of cyber security training in the last 12 months, with non-specialist staff being particularly unlikely to have attended.
- 43% of UK businesses reported breaches or attacks in the last 12 months (compared to 46% last year), but large businesses are under siege with 72% affected
- Fewer 27% of UK businesses have a formal cyber security policy in place this year (compared to 33% last year)
- The average (mean) cost of breaches with such outcomes is £3,100 (almost doubles from last year), large businesses lose an average of £22,300
- The most common forms of attack affecting UK businesses were Fraudulent emails (75%), hackers impersonating an organisations online (28%), Viruses, spyware or malware (24%) – on a special mention, ransomware dropped to from 17% to 15% this year
As per of our security experts comments series, the experts from Huntsman Security, Verizon and RSA commented below.
Piers Wilson, Head of Product Management at Huntsman Security:
Laurance Dine, Managing Principal, Investigative Response at Verizon:
“However, the threat goes beyond basic phishing to far more advanced social pretexting, of which the DBIR 2018 recorded around 1,500 incidents, leading to 400 confirmed data breaches last year. In these situations, hackers can actually pose as someone in the organisation such as the CEO, by hacking into their email account and then sending internal emails. This enables them to convincingly target finance departments, requesting payments into a bank account belonging to the hacker, or solicit employee details from HR teams to use for fraudulent activity.
“These cases of email fraud are much harder to spot; especially where the hacker has done their homework by clicking around in their victim’s sent items folder to research everything from the style with which they usually write emails, to the phraseology and protocol the company would use in genuine cases of non-fraudulent activity. Employee awareness schemes are critical to ensuring staff are equipped with the ability to spot fraudulent emails and learn to be more cynical to keep the organisation safe; so it’s a concern that just one in five businesses have such training in place.”
Rashmi Knowles, Field CTO EMEA at RSA Security:
“With GDPR just a month away, organisations are in for a rude awakening, as the costs outlined in this report are likely to skyrocket over the next twelve months. Business simply can’t afford to wait until a breach occurs to start taking security seriously. Organisations need to take a business-driven approach to security, where they assess their most important assets and scale security accordingly, to ensure a company’s most important assets, such as IP and customer data, are secured through layered security, multi-factor authentication, advanced threat detection and complete visibility of IT infrastructure.”