This year’s DCMS cyber breaches survey has just been released. It highlights the continued pressure that businesses are under from cyber-attacks as well as what they are – or are not – doing to defend themselves against threats.
Key findings include:
- Training has not increased, with only a fifth (20%) of businesses having had staff attend any form of cyber security training in the last 12 months, with non-specialist staff being particularly unlikely to have attended.
- 43% of UK businesses reported breaches or attacks in the last 12 months (compared to 46% last year), but large businesses are under siege with 72% affected
- Fewer 27% of UK businesses have a formal cyber security policy in place this year (compared to 33% last year)
- The average (mean) cost of breaches with such outcomes is £3,100 (almost doubles from last year), large businesses lose an average of £22,300
- The most common forms of attack affecting UK businesses were Fraudulent emails (75%), hackers impersonating an organisations online (28%), Viruses, spyware or malware (24%) – on a special mention, ransomware dropped to from 17% to 15% this year
As per of our security experts comments series, the experts from Huntsman Security, Verizon and RSA commented below.
Piers Wilson, Head of Product Management at Huntsman Security:
“With high-profile hacks constantly hitting the headlines, the fact that 80% of businesses lack cyber security training is alarming. Given how many breaches UK businesses are facing, not training staff on why security is important invites trouble. Just as we don’t let people drive without getting their licence, every untrained employee could pose a threat. And it’s not just about droning on about policies and processes, it’s about helping staff see why those are necessary and the consequences of ignoring them. Right now, too many people just see security as something that blocks them from doing their job rather than keeping the business safe. Until that changes, security is going to remain and afterthought and we’ll continue to see reports like this.”
Laurance Dine, Managing Principal, Investigative Response at Verizon:
“It’s particularly noteworthy that around three-quarters of all breaches were linked to staff receiving fraudulent emails, indicating there is still much work to be done on employee education. Our Data Breach Investigations Report (DBIR) has charted the prevalence of this trend for over a decade, and this year’s found that whilst 78% of people don’t click on a single dodgy email all year, on average, 4% of the targets in any given phishing campaign do. Incredibly, the more phishing emails someone has clicked, the more likely they are to do so again!
“However, the threat goes beyond basic phishing to far more advanced social pretexting, of which the DBIR 2018 recorded around 1,500 incidents, leading to 400 confirmed data breaches last year. In these situations, hackers can actually pose as someone in the organisation such as the CEO, by hacking into their email account and then sending internal emails. This enables them to convincingly target finance departments, requesting payments into a bank account belonging to the hacker, or solicit employee details from HR teams to use for fraudulent activity.
“These cases of email fraud are much harder to spot; especially where the hacker has done their homework by clicking around in their victim’s sent items folder to research everything from the style with which they usually write emails, to the phraseology and protocol the company would use in genuine cases of non-fraudulent activity. Employee awareness schemes are critical to ensuring staff are equipped with the ability to spot fraudulent emails and learn to be more cynical to keep the organisation safe; so it’s a concern that just one in five businesses have such training in place.”
Rashmi Knowles, Field CTO EMEA at RSA Security:
“It’s worrying that despite most UK businesses claiming cyber security is a high priority, less than a third of businesses give cyber security responsibility to a board member; only 35 per cent employ information security staff; cybersecurity training programmes are pretty scarce and under three in ten businesses have a security policy in place. It’s no surprise we are seeing so many businesses get hacked! Organisations need to stop paying lip-service and start putting the right people, processes and technologies in place to manage this risk to their business. The worlds of security and risk are converging, and organisations desperately need to recognise that cyber security is a business problem – it’s no longer acceptable to feign ignorance, or claim that your business isn’t at risk, as one in five UK businesses have claimed this year.
“With GDPR just a month away, organisations are in for a rude awakening, as the costs outlined in this report are likely to skyrocket over the next twelve months. Business simply can’t afford to wait until a breach occurs to start taking security seriously. Organisations need to take a business-driven approach to security, where they assess their most important assets and scale security accordingly, to ensure a company’s most important assets, such as IP and customer data, are secured through layered security, multi-factor authentication, advanced threat detection and complete visibility of IT infrastructure.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.