UK Government’s 2017 Cyber Security Survey identifies weaknesses

This year’s Cyber Security Breaches Survey series shows that cyber security is an issue that affects UK businesses of all sizes and sectors. It shows that the number of businesses with an online presence is growing, as too is the number storing data on the cloud. Alongside this, there is an increasing prioritisation of cyber security, and more businesses have attempted to identify the risks they face.

Virtually all UK businesses covered by the survey are exposed to cyber security risks. Of those surveyed, three-quarters of UK businesses say that cyber security is a high priority for their senior management, with three in ten (31%) saying it is a very high priority. Of the range of factors important for cyber security for businesses, the specific threat of ransomware has increased

Getting good advice on cyber security

Almost 60 per cent of businesses have sought information, advice or guidance on the cyber security threats facing their organisations over the past year. The top specific sources of information mentioned are external security or IT consultants (32%) as well as online searches (10%).

Only 4 per cent mention Government or other public-sector sources, reflecting that awareness of the information and guidance offered by Government remains relatively low. Despite this, three-quarters of those consulting Government sources say they found this material useful. Businesses tend to look to the Government as a trusted source of information and guidance.

Half of all firms (52%) have enacted basic technical controls across the five areas laid out under the Government-endorsed Cyber Essentials scheme. Three-fifths (57%) have also attempted to identify cyber security risks to their organisation, for example through health checks or risk assessments (up from 51% in 2016). However, as in 2016, a sizable proportion of businesses still do not have basic protections or have not formalised their approaches to cyber security.

Just under half of all UK businesses identified at least one cyber security breach or attack in the last 12 months. This rises to two-thirds among medium large firms.

The most common types of breaches are related to staff receiving fraudulent emails (in 72% of cases where firms identified a breach or attack). The next most common related to viruses, spyware and malware (33%), people impersonating the organisation in emails or online (27%) and ransomware (17%). This highlights how, as well as having good technical measures in place, the awareness and vigilance of all staff are important to a business’s cyber security.

Under reporting

External reporting of breaches remains uncommon. Only a quarter of firms reported their most disruptive breach externally to anyone other than a cyber security provider. The findings suggest that some businesses lack awareness of who to report to, why to report breaches, and what reporting achieves.

While breaches do not always result in a material outcome, such as loss of data or network access, in cases where this does happen, it has a significant impact on the organisation. The survey finds that these organisations can also face considerable financial costs from breaches. Partly in terms of the direct results of the breach and recovery or repair costs, but also in terms of the long-term damage to the business’s reputation, among customers or investors.

Ransomware

The findings suggest that the prevalence of ransomware has heightened awareness and made cyber security a more urgent issue for a wider range of businesses. The survey highlights how businesses in sectors that may not expect to be targeted are falling victim to costly ransomware attacks. Such attacks also highlight the inherent value of the data that businesses hold, beyond personal or financial data – with attacks on any kind of data potentially stopping businesses from carrying out day-to-day work and putting relationships with customers at risk.

Businesses are likely to find the information and guidance provided by the Government useful, but relatively few have sought out this information. Currently, many businesses rely on their outsourced providers for advice and guidance, but there is often a lack of trust around advice from private sources. The Government’s recently-launched National Cyber Security Centre is intended to make Government guidance easier to find and understand.

Similarly, while most businesses have at least some basic technical controls, such as firewalls, patched software and anti-malware programmes, few are aware they can be certified for having the full range of controls in the Government-endorsed Cyber Essentials scheme.

Download the full survey from here

Find risk information by organisation size