Insights

Every year, the UK Government’s Department for Digital, Culture, Media & Sport commissions a Cyber Security Breaches Survey as part of the National Cyber Security Programme.

The survey focuses on private sector organisations and charities of all sizes and looks at the breaches and attacks which have taken place within these UK organisations over the previous 12 months.

In this article, we’ll cover key findings from Cyber Security Breaches Survey 2019 research and look at the issues which will need to be addressed throughout the remainder of 2019 and beyond.

Percentage of organisations that faced attacks or experienced breaches

Overall, 32% of UK businesses and 22% of charities faced cyber-attacks or suffered security breaches last year.

When broken down by the size of the organisation, the percentages of organisations facing attacks or breaches are particularly interesting:

Businesses:

• 61% of large firms (250 + employees)
• 60% of medium sized businesses (50-249 employees)
• 31% for Micro and small businesses (less than 50 employees)

Charities:

• 52% of charities experienced attacks or breaches where their income exceeded £500K
• 32% of charities with incomes between £100-500K
• 19% of charities with income of under £100K

As you can see, while a huge number of smaller businesses and charities are being attacked and experiencing breaches, a staggering number of larger organisations are reporting these events.

Why has the number of reported attacks and breaches by businesses dropped from previous years?

It is unclear why there has been a fall in the number of businesses reporting breaches and attacks. The 2017 survey found 46% of businesses to have experienced attacks or breaches, while this number dropped slightly to 43% in 2018 and then to 32% in this year’s 2019 survey.

Some hypotheses were put forward following the survey, such as:

• Businesses have increased their cyber security postures, thus leading to less breaches. However, the data shows that the drop has occurred for both companies that have no formal cyber security rules, controls and processes; and those that do. The data does note that that the drop wasn’t quite as pronounced as the companies that did have these measures in place. However, the data was inconclusive for this.
• A change in attack behaviours may have taken place, with attackers focussing on a more targeted set or organisations (the median number of attacks increased for those organisations that reported one or more attacks). Another reason might be that attackers are simply using measures more difficult to detect.
• GDPR penalties and a legal requirement to report breaches to the Information Commissioner’s Office (ICO) may have discouraged some survey respondents from answering honestly to the survey—not wishing to disclose this sensitive information, possibly out of fear of penalty. Or, some organisations are now framing cyber security purely in the context of data protection as a result of last year’s focus on GDPR.

Although the number of organisations reporting breaches dropped since last year, the median number of attacks-faced has dramatically increased for those organisations that have reported breaches. This increased from two attacks in 2017 to six attacks in 2019. This means that targeted organisations are commonly having to deal with more attacks.

What are the most common types of attacks?

The figure below shows the types of attacks which were reported by affected organisations in the survey.

Unsurprisingly, the Government survey found the most common attacks on organisations are those methods designed to exploit human error i.e. fraudulent emails, directing users to fraudulent websites and impersonating others. While cyber security solutions can greatly help prevent these threats reaching the email inbox of employees, they will still get through on occasions and human error is typically an organisation’s weakest link—something which attackers know all too well.

Microsoft threat analysts also have seen evidence that phishing continued to be the preferred method of attack for cybercriminals in 2018. Due to the cloud-based telemetry that Microsoft can collect from its users, it was able to gleam phishing insights from an incredible amount of data that it has access to i.e. more than 470 billion emails in Office 365 every month. Microsoft’s Security Intelligence Report for 2018 reports that Microsoft found that between January and December 2018, phishing emails increased by 250%.

The Cyber Security Breaches Survey found that other attacks which are combatted by technical controls (e.g. denial-of-service attacks) were far less common.

Microsoft’s Security Intelligence Report noted a significant decline in ransomware between 2017 and 2018. Despite global attacks such as WannaCry and NotPetya taking place in 2017 and making the headlines, 2018 saw decreases—potentially due to attackers changing to stealthier activities such as cryptocurrency mining (as opposed to ransomware which is a blatant denial of access to a victim’s files and a demand for payment). The UK was found to have the fourth lowest malware encounter rate globally (based on user data for Microsoft’s real-time security products), suggesting the UK has, in general, a mature cyber security infrastructure, control measures and citizen awareness compared to many other countries globally.

What are the impacts of attacks on organisations?

The average financial costs for micro/small businesses that lost data or assets from breaches was £3,650 according to the survey. For medium and large businesses, the figures were £9,270 and £22,700 respectively. For all charities, the average cost was £9,470.

Interestingly, the average cost of ‘breaches with outcomes’ (as opposed to breaches which didn’t lead to anything) has risen consistently for businesses over the past few years. In 2017 the cost was £2,450, rising to £3,160 in 2018 and increasing again to £4,180 in 2019. This indicates that when a company’s defences are breached, the costs of this are increasing over time.

Despite these quantitative costs being relatively straightforward for organisations to understand and report, the qualitative element of the survey highlighted factors which many organisations may overlook when calculating the costs and impact of their breaches.

Less obvious costs included:

• Indirect costs – e.g. downtime and loss of productivity
• Ongoing costs – e.g. costs of putting together new procedures, measures and controls in place as a response to the breach
• Intangible costs – e.g. reputational damage

A number of respondents believed that senior management could appreciate the impact of obvious financial costs such as stolen money but failed to understand the more complex economic impact of less tangible impacts and those associated with implementing new security measures and processes. Organisations perhaps underestimate the true cost of breaches while this remains the case.
 
Of the organisations that reported attacks or breaches, 30% of businesses and 21 % of charities experienced one or more of the negative outcomes as listed in the figure below.

This highlights the fact that not all attacks lead to successful outcomes for the hackers. This will largely be due to the cyber security solutions that IT teams are using to ensure preventative measures are in place.

The impact of these outcomes can be seen in the figure below.

As shown by the figure, a lot of the impacts that organisations face is to do with the time and expense of implementing new measures and the time lost for staff.

What approaches are organisations taking to cyber security?

During the survey, organisations were asked about the measures that they had in place to deal with cyber security. Some of the more notable findings are summarised here:

For every ten businesses, around seven were found to have spent money on cyber security in the past year. Only four in ten charities had spent money on cyber security, although this was significantly improved from the previous year—indicating a greater willingness to engage and invest around cyber security.

The Government’s Cyber Essentials scheme provides self-help guidance around five technical controls to help any organisation improve its cyber security posture to cover the essential basics. The findings of the survey reported that 56% of businesses and 41% of charities have implemented controls in all five of the technical areas outlined within the Cyber Essentials scheme—suggesting that although progress is being made compared to previous years, there is still work to be done for many organisations.

The survey also showed that businesses (57%) and charities (43%) are updating their senior management at least once a quarter on cyber security developments within the organisation—an improvement from the previous year.

Formalised cyber security policies in writing have become more common in both businesses (33%) and charities (36%) over the last year.

Charities were found to be increasing their efforts around identifying cyber risks including activities such as security health checks, audits and risk assessments. 60% of charities undertook these activities, similar to the percentage of businesses (62%).

Staff training in cyber security was found to have increased over the past year for both businesses and charities. 27% of businesses and 29% of charities reported having had staff attend some form of training.

Outsourcing cyber security was found to be a key approach to dealing with cyber security for many organisations and charities. As you can see from the figure below, 49% of all businesses and 32% of charities outsource to an external security partner. The way in which organisations used their outsourced partner varied, depending on what each organisation wanted to keep in-house. Some organisations outsourced everything, whereas others used their partner as a cost-effective way of acquiring the skillsets which they didn’t have in-house.

The qualitative findings of the study found that organisations that outsourced were also more likely to treat cyber security as a high priority—with some organisations viewing engaging with a cyber security partner as an indication of how seriously they were taking cyber security and improving their security posture. External partners were seen as an important provider of guidance, information and best practice.

What can organisations do to improve cyber security?

Make cyber security a business priority

Business leaders and board members must make cyber security a business priority. It shouldn’t simply be an IT decision. Board members and senior managers should take an interest and be updated regularly with the ongoing progress and developments around their organisation’s security activities.

Many security professionals will testify that it is much easier to change the organisational culture to one which embraces good security practices—if the policies and processes are endorsed and enforced by those at the top.

Take a holistic approach to cyber security

Many businesses and charities will frame cybersecurity in different ways. While one company may focus solely on GDPR compliance and protecting personal data, another may focus on preventing hackers from hiding in the network and running stealth operations such as crypto-mining activities. Cyber security appears to mean different things to different people.

What companies should aim to do is to implement a holistic approach to security. That means companies should consider its people, processes and technology and take a wider range of actions around cyber security.

As well as the right technology, many organisations still don’t have cyber security policies, processes and training in place—which are all important in the journey towards a more mature and holistic security posture.

Organisations should also consider the supply-chain risk and potentially assess the security measures and policies that their suppliers have in place—something which is commonly underestimated as a potential source of threats.

Raise staff awareness and training

The survey found that only 27% of businesses and 29% of charities sent staff on training. Considering human error is typically the weakest link, and that many organisations feel they lack skills within cyber security, investing in some training may help increase resilience.

Educating employees on the importance of cyber security measures and increasing employee buy-in for security projects and policies is also an area where training can help. Board members, senior managers and employees need to understand the business risks around cyber security and should understand the indirect costs to breaches such as loss of productivity and reputational damage—not just the obvious costs such as stolen funds.

Be proactive

Another finding from the survey was that many businesses expected information and guidance to be pushed out to them. However, the fact of the matter is that organisations need to be seeking information themselves.

A good starting point for making sure you have the basics covered is the National Cyber Security Centre website and the Government’s Cyber Essentials and Cyber Aware schemes. Plenty of guidance and support is included and once you have implemented the procedures you can gain Cyber Essentials Certification — which demonstrates to your customers and suppliers that you are acting to tackle cyber threats.

You can always continue to invest in, and improve, your security posture once the basics are in place.

Invest in technology

There are a host of security products and solutions available on the market and it can be difficult for organisations to choose which is right for them.

For those companies that are already using Microsoft products such as Windows and Office 365, we would highly recommend looking at Microsoft’s cutting-edge and cloud-based threat protection suite — part of Microsoft 365.
We don’t believe that there is any other security offering on the market with such a compelling offering as Microsoft; the value that companies of all sizes can get from Microsoft 365’s enterprise-grade security offering is exceptional.

If you aren’t sure on how best to utilise the available technologies, speak to a cyber security partner about the possibility of a consultancy project.

Consider outsourcing to a cyber security partner

It is predicted that there will be a shortage of 3.5 million security staff by 2021—another reason why so many organisations are now opting for managed security service providers (MSSPs) and outsourced Security Operations Centre (SOC) services.

Outsourcing to a cyber security partner can be a cost-effective way of gaining access to a vast array of expertise and experience, whilst also allowing you to offload a significant amount of workload from your internal IT team.

Many organisations that keep security in-house, invest in advanced threat detection software only to find that they don’t know what to do with the threats that they are being alerted to. This is where outsourcing to a SOC might be the best option for organisations that want to increase their cyber resilience.

A Security Operations Centre (SOC) is a dedicated team of cyber security experts that are focused on preventing and responding to cyber-attacks and security breaches. SOCs act as a centralised security hub—receiving telemetry from across IT infrastructure, networks, data and endpoints to gain visibility of the activities and events taking place across these environments. They oversee monitoring to detect potential threats, providing advice on preventative and remedial actions to be taken in response to the threat analytics and assessments that the SOC team generate. This is available as a service where you pay a monthly retainer per device or user.

Again, this gives you access to on-demand expertise, allowing your team to carry on doing their day to day work and giving you piece of mind that your security is in hand.