The 2017 UK Govt produced Cyber Security Breaches Survey is out and it says nothing new. Across 66 pages it repeats what businesses and the industry already know. Businesses are under prepared, under skilled and prone to cyber security breaches. What is worrying is that this is a situation that is not getting better.
The survey involved 1,523 UK businesses. Over 3 months they were all involved in a telephone survey and subjected to deeper, follow-up interviews in January and February. It also comes a day after the British Chambers of Commerce released its report on cyber security. Unsurprisingly there is a lot of common ground between the two.
What is the rate of attack?
Just like the BCC report yesterday it is larger businesses that are getting hit the most. There is no surprise here as they are more likely to notice the attacks and they are likely to yield the most data. However, it is important that we do not ignore the risks that insecure small business create for larger organisations they interact with.
The numbers from the report say that 46% of all UK businesses identified at least one cyber security breach or attack. The larger the business the more attacks they reported. The number was 66% for medium-sized business and 68% for large companies. Again, these numbers are far from the whole truth. The majority of breaches were reported with just 26% admitting that told anyone other than their cyber security provider.
This is where mandatory reporting and heavy fines are required for not reporting breaches. If they are not being reported then it follows that people whose data is lost are also likely to be unaware. This creates additional risk and emboldens cyber criminals who believe they can get away with it.
The cost of a breach
There are so many different figures running around the market about the cost of a breach. In March, business ISP Beaming commissioned a study from Opinium. From the study they extrapolated 2.9 million business were breached costing £29.1 billion or roughly £10,000 per business. Meanwhile the Ponemon Institute reckons the consolidated cost of a cyber breach is an amazing $4 million.
Here lies the problem with cost numbers. There is no universal way of measuring them and nobody wants to give details of how get to their number. The result is that the wildly differing numbers confuse IT departments and especially main boards.
This report comes up with a markedly different number. It puts the average at just £1,570 per breach. However, it changes by size of firm. Large firms spent £19,600, medium firms £3,070 and smaller firms around £1,380. This seems low considering lost staff time both in terms of business hours and IT hours spent resolving the issue. Let alone opportunity costs, consequential impact and lost business. it merely highlights again the lack of evidencing for these cost figures.
Do UK businesses understand cyber security?
Yes and no. They are certainly focused on the problem but being aware of something and being proactive are two different things. Websites, social media pages and cloud service usage is all up on 2016. More importantly, over 61% say they hold personal data on their customers inside their computer systems. This means that their attack surface has increased as has their attractiveness to hackers.
Overall the survey says that 74% of UK businesses see cyber security as a high priority. However, once you begin to look at the detail of business size and sector the numbers change a lot. The survey suggests that the worst offenders are sole traders and businesses with < 10 employees. The problem here is that they lack the money, skills and time to deal with cyber security. As we noted yesterday, the cost of Cyber Essentials accreditation is stopping small businesses taking it up.
However, there are a lot of small regulated financial firms in that space. It also includes the majority of consultants in the cyber security fields and IT sector. These may not all be shining lights but they are probably far better than a lot of mid-sized enterprises. Cyber Essentials costs small business money that they don’t have. That does not mean that they do not have firewalls, AV software or patch their machines. They do, but they choose not to spend money on a piece of paper.
When it comes to the C-Suite the problem is more complex. They are used to spending money based on business priorities. Money will often be allocated to solve problems or gain an advantage. Once that is achieved it is spent elsewhere. Cyber security challenges all that and is seen as a black hole of costs. This creates a situation where boards believe that they are seeing nothing for their investment.
Where are companies getting help?
The BCC yesterday reported that many were reliant on their IT supplier. This report continues that theme. It says that 58% have sought advice. It is not all to IT suppliers. 10% relied on online sources while 32% talked to external IT and security consultants. In a blow for the government only 4% referred to Government and public sector sources. This is disappointing given the effort the UK Government has spent promoting cyber security.
Interestingly of those that did look at what the UK Government offered, 75% found it useful. Perhaps the most useful thing for many smaller organisations are the checklists for Cyber Essentials and Cyber Essentials Plus. These provide a great checklist for IT security teams but are rarely used. The government should do more to promote these. In fact, when asked, it turns out that 52% of companies already meet the technical criteria for Cyber Essentials. If the UK Government offered a tax credit for companies under 50 users to get accredited it would see a significant take-up. This would improve the UK cyber security posture immediately.
A lot of work still to be done
The list of failings in this report are worrying. Many of these are basic things that could be quickly improved. In doing so companies would improve their cyber security straight away. Among the list of items in the report are:
- Under two-fifths have segregated wireless networks, or any rules around encryption of personal data (37% in each case).
- A third have a formal policy that covers cyber security risks (33%), or document these risks in business continuity plans, internal audits or risk registers (32%).
- A third (29%) have made specific board members responsible for cyber security.
- A fifth (20%) of businesses have had staff attend any form of cyber security training in the last 12 months, with non-specialist staff being particularly unlikely to have attended.
- One-fifth (19%) are worried about their suppliers’ cyber security, but only 13 per cent require suppliers to adhere to specific cyber security standards or good practice.
- One in ten (11%) have a cyber security incident management plan in place.
There is a lot in this report that will take time to go through and validate. Some of the numbers look out of step with other reports but on the whole it simply reiterates what the whole IT industry is saying. Breaches are up, skills are short, companies will get breached and data will be lost.
If this report achieves one thing it has to be to get a better response to the information the government is putting together about cyber security. It is a major policy area for this government. That means that the information has to be spread across all those who need it and more has to be done to help companies.
Next year the EU GDPR comes into force. The clock is already ticking and UK companies can expect a frosty response from EU regulators if they have a breach. Companies and government departments responsible for cyber security need to get their act together.