UK Businesses are more aware and more prepared than ever in dealing with or preventing Cyber Attacks- but the threats are constantly evolving and businesses must be sure to not only keep up, but get ahead of the game.
The Government Department for Digital, Culture, Media & Sport recently released the latest Cyber Security Breaches Survey.
First published in 2016 and conducted annually since, the survey aims to give an indication of the extent to which attitudes and approaches to cyber security have improved over time. One trend that still needs improvement, is that smaller businesses, although trending in the right direction are still lagging behind the larger businesses in key areas. The need for robust cyber security practices and processes are not just the realm of the large business, but is essential for ALL businesses.
So, what does the survey tell us about the Cyber Health of UK Businesses in 2020?
The upward trend of businesses prioritizing cyber security continues- but smaller businesses need to step it up.
The good news is that more businesses than ever, large and small, are making Cyber Security a high priority. Whether it’s in response to a previous breach or attack or an evolution in thinking, protecting the business from Cyber Attack is now firmly on the radar of Senior Management.
As perhaps expected, large and enterprise businesses are again taking the lead here with 95% of them making Cyber Security a priority- and the figures reveal that making it a priority for your business may well be worthwhile, regardless of its size.
If Larger organisations’ boards are paying attention then you can bet that their suppliers, partners and their tender process will fall under the same cyber scrutiny. Simply put, if your business is part of the supply chain or looking to win contracts then you need to make sure your business is taking cyber security seriously, and prove as much, when dealing with larger companies with more established and demanding Cyber Security mandates. Nearly half of large businesses are now actively and formally reviewing the security practices of immediate suppliers, and one quarter of businesses are extending this to their entire supply chain. These numbers are expected to rise and will soon become commonplace, so make sure your business is ahead of the curve.
In smaller businesses it’s typically unlikely to find the necessary skills in-house to effectively identify, and mitigate security risks- on average across small and micro businesses only around half of those surveyed stated they have a member of staff in the organisation whose job role formally includes Information Security. Help is out there however, as nearly 70% of SMBs can attest to having sought outside assistance for their Cyber Security needs- whether via an external partner or from Government or other sources giving advice or direction. Micro businesses (identified as having 1-9 employees) however, are not reaching out as much for Cyber help. This trend is concerning, and indicates a lack of urgency or necessity to tackle Cyber Security issues but these businesses need to beware- being small doesn’t exclude you from being a target for attack, especially if you’re part of a supply chain.
There’s no doubt that GDPR has woken a few businesses up to the need to implement robust cyber security practices. Since its introduction in early 2018 there has been marked jump in the number of businesses large and small where cyber security is now a high priority. New legislation such as GDPR is a great way to make sure that not only is your business is compliant, but see it as an opportunity to put the foundations in place for a more structured security strategy moving forward. Businesses who merely ‘tick the box’ with their approach to security are missing the point of security altogether.
Businesses today are facing more frequent, more sophisticated, and more targeted attacks than ever before.
According to the survey, nearly half of all UK businesses have identified an attack or breach in the past 12 months. That fact on its own is staggering to comprehend, but when you consider that is based on the number of identified attacks or breaches, it becomes more alarming still. What about the attacks or breaches that were not picked up? Those that were unsuccessful, too small to have an impact or worse- those that were successful and not identified??
If you’re thinking these figures are inflated by the ‘big target’ enterprises, you may want to take a closer look. Yes, the proportion of larger businesses reporting attacks and breaches is higher- up to 75%- but with typically larger budgets and more resources to dedicate to security, you would expect these businesses to ‘catch’ more of these attacks.
This does not necessarily mean therefore that there are any fewer attacks targeting smaller firms than larger organisations, only that fewer are being identified.
In reality, the types of threat faced and the frequency of attack Is likely to be roughly the same whether you are a large or small business. ‘Phishing’ is becoming the most common form of attack by far with 86% of attacks being identified as such and typically- specific targeted attacks aside- these are sent out by the attacker far and wide, in a ‘scattergun’ approach that does not discriminate based on the size of your business.
So the bad news is that if you use email, you are just at risk as a micro-business as you are an Enterprise. The good news is however, that to defend against the vast majority of phishing attacks you don’t need a huge budget, or dedicated security teams or expensive technology- the most effective form of defence against phishing is awareness and education. According to the survey nearly two-thirds of identified attacks were picked up after members of staff raising the alarm. Making your staff aware of threats, what to look for and what to do (or not to do, which is possibly more important!) if they receive anything suspicious, costs your business relatively little but could save a lot- potentially even the business itself.
UK Businesses are getting better at preparing for and recovering faster from attacks.
One of the biggest causes of reputational and financial damage following a breach is time- time to recover data and time to recover operations equates to time that your business is not doing business. It’s encouraging then, that the majority of businesses affected by a breach or an attack are able to recover much quicker now than when the survey first measured this time in 2017. 90% say they were able to fully recover from a significant breach within 24 hours, but more impressive than this is that now 72% of businesses were able to recover almost instantly- up from just 57% in 2017.
Preparation is key- knowing your risks, backing up your data, implementing well-versed procedures can all aid fast recovery. Even for small businesses and startups where security may not be at the forefront of your thinking, or where you may not have the expertise required in-house to effectively analyse and mitigate your risks, don’t ignore it- there are organisations and government entities like NCSC that exist entirely to help businesses like yours plan for and defend against Cyber threats.
Are businesses doing enough to identify their key risks?
For a Company, the first step in mitigating the threat of a Cyber Attack or breach is to understand the specific risks that the business faces. The risks can then be assessed and any mitigating steps taken based on the potential impact to the organisation. This is not a ‘one and done’ type of activity, but an iterative process that needs regular review. Internal audits are a good start, but the research shows that particularly in smaller businesses what is considered an ‘internal audit’ can amount to little more than an informal discussion between staff or with a provider around ad-hoc measures that could be put in place.
In some cases, what businesses classed as an ‘External Audit’ didn’t fare too much better. Although around half of all the businesses surveyed stated they had undertaken an External Audit, often this was not a dedicated Cyber Security audit, but part of a broader financial audit or similar. Also, 20% of businesses that had carried out External audits, stated that they had just done this the once.
There is clearly considerable potential then among UK businesses for ‘marking your own work’, or quite literally giving a false sense of security. On average, less than half of smaller businesses had reached out to an external resource to take care of their Cyber Security. This means that the majority of these may be unaware of just how vulnerable they may be to a Cyber Attack, or how they might recover from one should the worst happen.
It’s a fact that each business is unique in terms of the cyber risks they face. Surveys such as the Cyber Security breach report can help get a snapshot of what businesses across the UK are doing to mitigate that risk and how attitudes and practices are changing over time. What is clear, is that the majority of threats don’t discriminate against the size or nature of the businesses they can affect. Smaller businesses should look to the larger companies and how they are adapting to respond to the ever-evolving threat landscape, and the steps they are taking to protect themselves.
Don’t assume your business is exempt because of its size, or somehow flying below the radar of the bad guys. The best time to discover if you’re prepared for an attack is before you get attacked, and the best time to give your Cyber-health the once over, is now.