In response to findings from the UK Cyber Security Breaches Survey, IT security experts commented below.
James Romer, Chief Security Architect for EMEA at SecureAuth:
“The report highlights some key issues that businesses and charities in the UK are facing, yet there is very little focus given to protecting businesses at the identity level. The report has found that the most commonly reported breaches include cyber-fraud and impersonation of the organisation, with unauthorised use of devices or networks accounting for a high proportion of breaches last year too.
These threats can all be effectively addressed through complete identity management platforms, combining identity access controls alongside user awareness programs. It appears from the report that businesses and charities have not correctly identified the importance of implementing strategic identity solutions as a priority to improve their cyber defences. It’s clear that with identity and credentials accounting for the majority of data breaches, more awareness and focus needs to be put on comprehensive authentication techniques to shore up organisations’ defences and prevent cyberattacks in the future.
Organisations need to go further than just two-factor authentication, utilising Identity platforms that join silos of data together to create comprehensive Identity controls. Part of those controls should be to Implement adaptive authentication that combine techniques such as geographic location analysis, device recognition, IP reputation based threat services, and phone fraud prevention to address the threats at the identity level efficiently.”
David Kennerley, Threat Research Manager, EMEA & APAC at Webroot:
“The increase in UK businesses reporting ransomware is not surprising considering how lucrative and effective this business model can be for threat actors. Ransomware is going nowhere. It’s a business model that continues to keep on giving and offers low risk to the cyber attackers. Because of its incredible success – witnessed in the unprecedented Wannacry attacks last year – attackers are continually deploying new creations with the aim of securing the greatest rewards.
These results should highlight why it is absolutely critical for organisations to have a robust cybersecurity strategy in place to deal with and defend against these kinds of attacks. Due to poor security practices and culture, organisations are sometimes left with no other option but to pay the ransom to get their data back – but be warned, by paying the ransom you are sustaining the model, and more worryingly there’s been many cases previously where even paying the ransom doesn’t guarantee that the cybercriminal will actually return your files.
The key to mitigating these attacks requires a combination of the right security technology, a comprehensive disaster recovery plan (DRP) and employee education, particularly as the report shows that disruptive breaches were most commonly spotted by individuals rather than software. Also, supplementing this education with smart technology, such as AI, will only enhance detection.“
Mark Adams, Regional Vice President, UK & Ireland at Veeam:
“With only one month left before GDPR comes into force, today’s Cyber Security Breaches Survey is another timely reminder to ensure UK businesses are prepared for the worst. We’ve seen the damage that can be caused by the likes of WannaCry, and internal data protection and data management failures within corporates, but the stakes are about to become much higher, thanks to the regulatory penalties coming into force in a month with GDPR and the Data Protection Bill for the UK.
“Reading that over half of the businesses surveyed and six in ten of the charities interview were impacted by breaches or attacks came as no surprise. Especially when you consider that less than half of these companies had the right contingency plans in place to deal with highly disruptive breaches. This is no easy nut to crack. Covering all bases is the demand, but breaking it down into departmental accountability is a way of overcoming some of the pain.
“Hearing that just five in ten businesses (and three in ten charities) implemented the five basic technical controls under Cyber Essentials is completely unacceptable. Worse still, these steps, whilst highly useful to follow, do not cover the issue of data availability.
“Restricted access, firewall configurations, the latest malware updates… it’s all incredibly important, but at some point your business will be breached. It’s inevitable. When it happens, you need to ensure you can remediate quickly to reduce the impact of the attack, and allow your business to remain ‘always on’.
“When 98% of businesses and 93% of charities represented in the survey were found to rely on some form of digital communication or services, we are reminded that businesses cannot afford these services to suffer downtime or lose their availability. The ability to keep these lights on, using data backup and disaster recovery solutions, couldn’t be more important. This should be regarded as a sixth step in the essentials list that is no longer a luxury, but a necessity.”
Simon McCalla, CTO at Nominet:
“The biggest companies are of course the most at risk of attack, as they are often carrying the most desirable and highest concentration of assets. This means they have to be even more fastidious when it comes to protecting their data.
“The absence of internal security staff is not hugely surprising, but it is a concern. Increased technology outsourcing is an established trend, meaning that sensitive enterprise data tasks now handled by MSPs with privileged access to critical systems is a particular area for concern. Data breaches can be caused by an insecure connection, a backdoor, or even an inside agent, and huge data losses can be made. Companies with particularly sensitive data need to seriously consider bringing security teams in-house in order to mitigate these risks and have the expertise to deal with any suspicious events as they occur.
“The lack of awareness around DNS attacks is also leaving companies wide open to be compromised. The vast majority of threats use it to get malicious data either to or from a target. By understanding the patterns and anomalies in this traffic and having visibility of malicious domains, threats can be stopped from communicating effectively.”
Greg Day, VP & CSO, EMEA at Palo Alto Networks:
“Much of the findings in this report show that overall not much has changed from last year. While there are some positive improvements since the last report, in particular more regular senior level engagement, generally it is disappointing because virtually all UK businesses rely on some form of digital communication or services, and the frequency of attacks is edging up. Over four in ten businesses (43%) have experienced cyber security breaches or attacks in the last 12 months, and it’s more likely than not that this will increase over the coming year.
“It’s really important that businesses get basic hygiene right, otherwise you’re just putting hard work, customer data and day-to-day business operations at risk. We need to ask where the problem is coming from. Is it due to lack of knowledge, skills, or resource, or all three?
“Traditional cyber security mindsets have created a heavy human workload, which take up resources. We’re now seeing new legislation which leverages the concept of state of the art cyber security, to meet this modern security capabilities do allow for much greater automation and efficiencies. As such businesses need to consider if they have a modern state of the art security operating platform or a legacy of components. For resource-poor businesses, the cybersecurity industry has started to offer security as a service, so businesses that don’t have the skills internally can leverage others.
“The report’s findings on the adoption of cloud computing tally with our own research, for example that security policies only cover cloud computing 59% of the time for businesses. This rush to the cloud is not taking full account of the security risks. We know from our own research that despite most cybersecurity professionals (64%) saying security is a top priority for their adoption of the public cloud, less than half of respondents are very confident that existing cybersecurity in the public cloud is working well, and only 19% of those we spoke to said they have the correct level of involvement in the security of cloud services. Visibility is critical to IT security, however the move to the cloud has brought with it multiple vendors and new responsibilities for security which is makes visibility harder. Our research found that only around 1 in 10 (13%) cybersecurity professionals said they were able to maintain a consistent, enterprise-class cybersecurity across their cloud(s), networks and endpoints. If we can’t see or understand what good looks like and can’t consistently apply controls to enable our increasingly digital businesses, then we should expect future reports to only get worse. The capabilities and opportunities are there for improvement, businesses just need to take them.”
Matthias Maier, Security Evangelist at Splunk:
“The Cyber Security Breaches Survey report launched today by DCMS clearly highlights the growing cyber security challenge we face in the UK. The research shows a clear variation in security maturity between different sectors and charities as well as in companies of different sizes. While larger organisations might hold more information about a greater number of individuals than a comparatively smaller organisation, both are likely to have similar personal or sensitive data that needs to be protected and safeguarded in the same way – just on a smaller scale. New regulations such as GDPR and NIS will make a difference over the next year as companies are required to take formal action and allocate the appropriate resources to improve security maturity. This will help every industry ensure that the security officer/team gets a seat at the management table and, more importantly, heard if they haven’t been before.”
Justin Coker, VP EMEA at Skybox:
“Getting cybersecurity right is extremely challenging as it’s an overwhelming problem – with the number of vulnerabilities published on average per month by MITRE’s National Vulnerability Database increasing by 100 percent in 2017. But it is incredibly concerning that today’s government report on UK cybersecurity breaches reveals that too many businesses and charities are working in the dark when it comes to preventing and mitigating the effects of a cyber attack. It is striking that a sizeable minority – 44 percent of businesses – aren’t even aware of what led to their breach, and two thirds of business are unable to pinpoint where the breach started. Visibility is absolutely essential if organisations are to protect sensitive data and systems through seeing where the vulnerabilities are and then shutting them down effectively. With GDPR only a month away, organisations are not only exposing themselves to cyber attack, but potentially crippling fines.”
Tony Pepper, CEO at Egress:
“The number of businesses making cybersecurity a priority has increased year-on-year, but this survey shows that there is still a long way to go in addressing the very basics. The fact that almost 50 percent of businesses haven’t implemented the government’s five basic technical controls from Cyber Essentials is concerning, especially as we approach GDPR. From May 25th, a business that is breached will have to prove that it did everything it could to protect sensitive data, so ticking these five boxes is key. This also goes for encryption, with 56 percent of businesses that hold personal information admitting they have not implemented the necessary security controls. These organisations are taking a massive gamble.
“What might be surprising for some is that, in spite of what we see on the news, the most common attacks reported are not sophisticated attacks. The most common attack businesses are facing is fraudulent emails or being directed to fraudulent websites, which 75 percent had experienced. By comparison, viruses, spyware and malware attacks only affected 24 percent. Again, this shows that businesses would benefit from focusing on the basics first, which means the actions of their own staff. Education is important, but organisations also have to put in place processes and technology that helps protect staff from making mistakes that put the company at risk. By prioritising their own employees, the vast majority of attacks could be prevented.”